Protocol analyzers: Who needs them, and how to choose one

Whether for an ad-hoc analysis of a problem or ongoing monitoring, a protocol analyzer can be a valuable tool for the security pro.

analyzing performance of wireless mobile connectivity data statistics
Thinkstock

The complexities of a modern corporate network with multiple physical locations, cloud presence, and even serverless applications means the task of monitoring your network activity requires a significant amount of planning and design. A portion of this design effort begins as part of the initial evaluation phase while choosing a protocol analysis suite.

A big part of that selection is determined by the features most critical to your organization, such as the need to function as an early warning system for attack methods old and new using either traditional analytics or machine learning, support for your corporate cloud presence, or even the need to perform forensic analysis in the event of a confirmed attack.

What is a protocol analyzer?

Protocol analyzers are tools that allow IT administrators and security teams to capture network traffic and perform analysis of the captured data to identify problems with network traffic or potential malicious activity. This traffic data can be observed in real time by a technician for troubleshooting purposes, monitored by an alerting tool to identify active network threats, or retained to perform forensic analysis in the case a network breach is discovered.

Modern networks typically limit traffic to the path between the client and the server by design for performance and security reasons, a key feature of a network switch over the network hubs that were prevalent in the early days of computer networks. This is a deal breaker for casual malicious users looking to steal your corporate data, but only a minor technical hurdle for legitimate network analysis since many of these tools integrate with network hardware or software sensors that can be placed strategically throughout the network. In most cases, network administrators can simply enable a switched port analyzer (SPAN) to mirror network packets passing through the switch to a single port.

To continue reading this article register now

The 10 most powerful cybersecurity companies