The first - and most high-end - of a new range of Sniffer products from McAfee offshoot Network General has been released.
Infinistream 2.0 is a £50,000 appliance which captures Gigabit data at wirespeed and streams it to 4TB of hard disk. Data can then be retrieved and filtered for Sniffer analysis, allowing it to be used to hunt down intermittent problems, as well as providing a view of enterprise network performance over time. It is based on Linux instead of Windows.
"It's a new way to think about network analysis," says Nancy Blair, Network General's product management and marketing VP. "It allows you to go back in time and find the relevant packets - it's easy to store data, the problem is to pull out the bits you want."
For example, Infinistream could show information such as packets and network use on a Gigabit link, allowing you to highlight spikes and extract that data for deeper analysis, she says. "If you can't find it there, we'll let you go down further, for example to individual IP addresses or VLANs, see their trends and look for spikes."
Douglas Smith, president of rival developer Network Instruments, acknowledges that Infinistream's 4TB trumps his $25,000 2TB Gigastor probe - at least until the latter gets sixteen 250GB hard drives this summer. "Is 4TB better than 2TB? Sure, and 8TB is better than 4TB - it increases the window you can look at, and as drive prices come down that capacity will go up," he says.
However, he questions how widespread the need for forensic technology is: "We developed Gigastor for a very small market niche. We've seen Network General pushing Infinistream 2.0 to everyone, but my question to customers is do you really need this? These things are really expensive compared to standard Gigabit probes."
Nancy Blair is confident though, saying that the focus on time is vital. "Capture will become standard," she says, "but it's what you do with what you capture that's important, for example you could run it through a network policy engine to look for exceptions."
She says Infinistream's Linux-based technology will be extended up and down the product line, and that over the next three to five years it will replace several of today's Windows-based Sniffer tools, such as Sniffer Distributed.
"Our customers are driving us to a more secure platform than Microsoft - some, such as some banking organisations, are taking anything Microsoft off their network," she adds. "Also, Sniffer Distributed is an older product, it has been renewed but if you bolted 4TB of storage onto it, it wouldn't perform as well."
The technology behind Infinistream is DragNet, a network forensics tool developed by Traxess of Utah, which Network Associates acquired in 2002. NA built Sniffer code into DragNet and renamed it, and is now in the process of adding more features - the next release of Infinistream should have WAN support, and Blair says future versions will also gain some of the application performance capabilities of Network General's Appera family.