Heavy Networking 454: Analyzing Encrypted Traffic In The TLS 1.3 Era With ExtraHop (Sponsored)
Deep packet analysis at line rate is a complex claim. What do we mean when we say, “Deep”? Assuming we mean layer 7 payloads…which protocols? Some of them? All of them?
What if the packet is encrypted? What if we’re a dual-stacked IPv4 and IPv6 network?
And what do we mean when we say, “Line rate”? We’re at speeds of 400Gbps now. So, which lines are we talking, and how many of them?
By the way, if we’re analyzing packets at line rate, where are we keeping them? Do we have to build a massive storage array?
None of these problems are new, and the more data we put on the network, the more challenging line rate deep packet inspection becomes. Today we take a stab at it with our sponsor ExtraHop.
Our guest is Mike Ernst, VP of Sales Engineering at ExtraHop. Mike has promised to put his engineering hat on today and keep his inner salesperson in the background.
We discuss:
* Commercial tools vs. Wireshark
* The packet capture architecture required to get “every packet and transaction”
* ExtraHop’s appliance family
* How ExtraHop gets packets from the public cloud
* Real-time analysis vs. investigating stored packets
* Differences among flow data, telemetry, and full packet capture
* How ExtraHop deals with encrypted traffic
* Why an agent is required to decrypt TLS 1.3 traffic
Show Links:
ExtraHop
ExtraHop.com/packetpushers
Follow ExtraHop on Twitter