The light at the end of the fiber is an oncoming train
There’s a potential problem looming with “always-on” packet capture: bandwidth is growing faster than processing power. In this article, I’ll look at the trends that show the upcoming doom, as well as potential ways to avoid the problem, assuming that we re-think when and how to do packet capture.
The purpose of always-on capture is to record all packets on one or more links as insurance against problems. This technique is especially valued in network security, to answer the questions of “how did they get in” and “what did they do.” On TV cop dramas, they review the security camera footage; on a network, they review the packet capture. To protect against dropping packets, many appliances include “capture cards” – but regardless of the appliance, all real-time analysis happens in the CPU, and that’s going to become a problem.
Moore’s Law predicts that CPU power can double every 18 months. That growth enables each new appliance to capture and analyze more traffic. More traffic also requires more storage. Kryder’s Law estimates that storage density doubles every 12 months. The problem is that traffic speed grows faster than either CPU or storage: Butter’s Law of Photonics observes that optical network capacity can double in only 9 months.