Wire data

Last updated June 23, 2024

Wire data or wire image is the information that passes over computer and telecommunication networks defining communications between client and server devices. It is the result of decoding wire and transport protocols containing the bi-directional data payload. More precisely, wire data is the information that is communicated in each layer of the OSI model (Layer 1 not being included because those protocols are used to establish connections and do not communicate information).

Relevance

Wire data is the observed behavior and communication between networked elements which is an important source of information used by IT operations staff to troubleshoot performance issues, create activity baselines, detect anomalous activity, investigate security incidents, and discover IT assets and their dependencies.

According to a March 2016 research note from American IT research and advisory firm Gartner, wire data will play a more important role than machine data for analytics in the future: "While log data will certainly have a role in future monitoring and analytics, it is wire data—radically rethought and used in new ways—that will prove to be the most critical source of data for availability and performance management over the next five years."^[1]

Real-time wire data streams are also important sources of data for business and operational intelligence teams. In these types of scenarios, wire data is used to measure order transactions for real-time reporting on transaction volume, success, and failure rates; tracking patient admission rates at hospitals; as well as reporting on the weights and measures of airplanes prior to take-off.

Distinction between wire data and system self-reported data

Wire data is distinct from machine-generated data, which is system self-reported information typically in the form of logs sourced from elements like network routers, servers, and other equipment. Unlike those forms of machine-generated data, which are dependent on the logging configurations of those devices, wire data is defined by wire and transport protocols. There is a small amount of overlap between wire data and machine-generated data but also significant differences. For example, web server logs typically record HTTP status code 200 responses, indicating that a web page was served to a client. However, web servers do not log the transaction payload and so would not be able to show which HTTP status code 200 responses were for pages with a “service unavailable” message. That information is contained in the wire data or transaction payload and is not logged by the server.

Examples of information derived from wire data

Structured transactional data passed over HTTP, including information encoded using SOAP/XML
SQL transaction details, such as errors, methods used, and stored procedures executed
Unique customer IDs, handset type, and credit-control details defined by AVPs and commands contained in Diameter transactions
Cross-tier (web, database, storage, etc.) transaction metrics parsed by unique session IDs or other GUID
Correlation of network transfer time and server processing time
TCP mechanisms such as Nagle delays and throttling
HTTP metadata including user-agent, session ID, status code, and IP address
HTTP page content including page title, user ID, and transaction values

Methods of analyzing wire data

Traditional methods of capturing and analyzing wire data include offline network packet analyzers. Newer approaches receive a copy of network traffic from a port mirror (SPAN) or network tap and reassemble those packets into full per-client sessions and transaction streams, analyzing the entire transaction payload in real time and generating metadata on those transactions without storing the actual packets.^[2]

Bibliography

Will Cappelli, Gartner: "Use Data- and Analytics-Centric Processes With a Focus on Wire Data to Future-Proof Availability and Performance Management," March 2016
Will Cappelli, Gartner: “Data Growth Demands a Single, Architected IT Operations Analytics Platform,” September 2013
Will Cappelli, Gartner: “How ITOA Relates to Other Analytics-Driven Disciplines,” November 2013

Related Research Articles

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telephone systems, as well as mobile phone calling over LTE (VoLTE).

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

A multilayer switch (MLS) is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers. The MLS was invented by engineers at Digital Equipment Corporation.

Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is often used for baselining application behavior, analyzing network usage, troubleshooting network performance, ensuring that data is in the correct format, checking for malicious code, eavesdropping, and internet censorship, among other purposes. There are multiple headers for IP packets; network equipment only needs to use the first of these for normal operation, but use of the second header is normally considered to be shallow packet inspection despite this definition.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

The RapidIO architecture is a high-performance packet-switched electrical connection technology. It supports messaging, read/write and cache coherency semantics. Based on industry-standard electrical specifications such as those for Ethernet, RapidIO can be used as a chip-to-chip, board-to-board, and chassis-to-chassis interconnect.

Web analytics is the measurement, collection, analysis, and reporting of web data to understand and optimize web usage. Web analytics is not just a process for measuring web traffic but can be used as a tool for business and market research and assess and improve website effectiveness. Web analytics applications can also help companies measure the results of traditional print or broadcast advertising campaigns. It can be used to estimate how traffic to a website changes after launching a new advertising campaign. Web analytics provides information about the number of visitors to a website and the number of page views, or creates user behavior profiles. It helps gauge traffic and popularity trends, which is useful for market research.

Real-Time Messaging Protocol (RTMP) is a communication protocol for streaming audio, video, and data over the Internet. Originally developed as a proprietary protocol by Macromedia for streaming between Flash Player and the Flash Communication Server, Adobe has released an incomplete version of the specification of the protocol for public use.

Capacity management's goal is to ensure that information technology resources are sufficient to meet upcoming business requirements cost-effectively. One common interpretation of capacity management is described in the ITIL framework. ITIL version 3 views capacity management as comprising three sub-processes: business capacity management, service capacity management, and component capacity management.

Catalogue Service for the Web (CSW), sometimes seen as Catalogue Service - Web, is a standard for exposing a catalogue of geospatial records in XML on the Internet. The catalogue is made up of records that describe geospatial data, geospatial services, and related resources.

In the fields of information technology and systems management, application performance management (APM) is the monitoring and management of the performance and availability of software applications. APM strives to detect and diagnose complex application performance problems to maintain an expected level of service. APM is "the translation of IT metrics into business meaning ."

Intrusion detection system evasion techniques are modifications made to attacks in order to prevent detection by an intrusion detection system (IDS). Almost all published evasion techniques modify network attacks. The 1998 paper Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection popularized IDS evasion, and discussed both evasion techniques and areas where the correct interpretation was ambiguous depending on the targeted computer system. The 'fragroute' and 'fragrouter' programs implement evasion techniques discussed in the paper. Many web vulnerability scanners, such as 'Nikto', 'whisker' and 'Sandcat', also incorporate IDS evasion techniques.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

SequoiaDB is a multi-model NewSQL database.

BlueTrace is an open-source application protocol that facilitates digital contact tracing of users to stem the spread of the COVID-19 pandemic. Initially developed by the Singaporean Government, BlueTrace powers the contact tracing for the TraceTogether app. Australia and the United Arab Emirates have already adopted the protocol in their gov apps, and other countries were considering BlueTrace for adoption. A principle of the protocol is the preservation of privacy and health authority co-operation.

References

↑ Cappelli, Will. "Use Data- and Analytics-Centric Processes With a Focus on Wire Data to Future-Proof Availability and Performance Management". Gartner. Retrieved March 11, 2016.
↑ Patel, Zarna. "Morgan Stanley Turns To Wire Data". Wall Street & Technology. Retrieved March 14, 2014.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Cappelli, Will. "Use Data- and Analytics-Centric Processes With a Focus on Wire Data to Future-Proof Availability and Performance Management". Gartner. Retrieved March 11, 2016.

[2] Patel, Zarna. "Morgan Stanley Turns To Wire Data". Wall Street & Technology. Retrieved March 14, 2014.

[1]

[2]