Thanks, Extrahop, for the validation

Posted November 8th, 2012 by Spencer Greene

We’ve written before about the difference between prevention, detection, response and root-cause.  In a nutshell: in-line devices like firewalls and WAN optimization boxes prevent bad stuff from happening; fault management, APM and SEM tools detect when bad stuff happens despite your best efforts; and then when a detection tool alerts that something is unusual, IT professionals have to do something about it – with a quick response, ideally followed by a full root cause analysis & permanent corrective action.

Some issues that are alerted by detection devices are obvious; but many are not.  So a very common approach to resolving the issues raised by detection tools is to take a guess at what the cause might be, then make a change that you hope will fix it.  If the problem goes away, you then have to assess whether it went away because of your fix or just by coincidence.  Chronic/intermittent issues are particularly difficult to deal with this way.

Endace customers, by contrast, don’t have to guess or run experiments – they can consult their network history, which includes full packet capture, metadata, indexing and search capability – and prove conclusively why an issue happened, so it can be definitively resolved.  Adding a network history layer improves time to resolution (TTR) often by 50% or better, which reduces downtime, increases SLA compliance, and reduces load on network & security operations teams.  Endace intelligent network recorders are deployed by organizations who recognize that “stuff happens” and who want to be prepared to respond when it does.

Now Extrahop, an APM company, has acknowledged this point by introducing packet capture into their product.  They quote Gartner analyst Will Cappelli in their press release saying “packet capture is a tried-and-true method of analyzing the root cause of network and application issues.”  They also say in their release that “IT teams often must wait for the problem to occur again before they can capture the packets needed to pinpoint the problem.”  Both of which are 100% dead-on right.  Best-practice shops avoid the second issue by doing continuous capture at important aggregation points, so they have data when they need it.

Where they’re mostly wrong, though, is in claiming that packet capture requires engineers to “spend hours if not days digging through gigabytes of data to find the problem.”  That’s probably true with some products out there.  But with EndaceVision, our network history navigation and search software, analysts can navigate through days worth of network history in seconds.  Which is important, because the real value of network history comes from the ability to zoom in and out, and pivot across different dimensions, such as: “what was this same user doing yesterday?” or “was anyone else speaking on this same network port around the same time?”

We’re really glad that Extrahop has jumped on the packet-capture bandwagon.  Once you discover the frustration of their poor-man’s packet capture, which shows a tiny amount of context with darkness all around, we invite you to take the MAX challenge — and see how much better your life can be with full visibility.