See Full Story
Network forensics is the capture, storage and analysis of network traffic. You might also hear the term referred to as "packet mining," "packet forensics," or "digital forensics." Regardless of the name, the concept is the same, with the objective to record every packet and the data it contains moving across the network and storing it for some period of time. Simply put, this means having a network recorder that would allow you to see all emails, database queries, Web browsing activity, etc.
Good article, and I agree with all of your points. Just one comment occurred to me. You say "Real-time, deep packet inspection on 10Gig links is not currently, and may never be, an option".
There is a way actually. In systems we build for our customers, we use capture cards from Napatech which can load-balance a single 10Gig stream (on a flow basis, for example) across up to 32 CPU cores. The task of real-time DPI or other analysis at each of those cores is therefore scaled down substantially to under 1Gig, which is well within the scope of even software-based tools. Combining a sophisticated adapter such as the Napatech unit with the ever more powerful and lower cost multi-core servers available now means that real-time, line-rate 10Gig analysis is in fact both achievable and affordable right now.
Similar divide-and-conquer solution approaches are offered by other vendors in the market today also, as I'm sure you are aware.
Thanks for the article.