Packet capture
Encyclopedia
Packet capture is the act of capturing data packets crossing a computer network
. Deep packet capture (DPC) is the act of capturing, at full network speed, complete network packets (header and payload) crossing a network with a high traffic rate. Once captured and stored, either in short-term memory or long-term storage, software tools can perform Deep packet inspection
(DPI) to review network packet data, perform forensics analysis to uncover the root cause of network problems, identify security threats, and ensure data communications and network usage complies with outlined policy. Some DPCs can be coupled with DPI and can as a result manage, inspect, and analyze all network traffic in real-time at wire speeds while keeping a historical archive of all network traffic for further analysis.
Partial packet capture can record headers without recording the total content of datagrams. This can reduce storage requirements, and avoid legal problems, but yet have enough data to reveal the essential information required for problem diagnosis.
on up (layers 2-7) of the OSI model
. This includes headers and payload. Headers include information about what is contained in the packet and could be synonymous to an address or other printed information on the outside of an envelope. The payload includes the actual content of the packet and therefore synonymous to the contents of the envelope. Complete capture encompasses every packet that crosses a network segment, regardless of source, protocol or other distinguishing bits of data in the packet. Complete capture is the unrestricted, unfiltered, raw capture of all network packets.
, MAC address
, etc. With the application of filters, only complete packets that meet the criteria of the filter (header and payload) are captured, diverted, or stored.
Many deep packet inspection tools rely on real-time inspection of data as it crosses the network, using known criteria for analysis. DPI tools make real-time decisions on what to do with packet data, perform designated analysis and act on the results. If packets are not stored after capture, they may be flushed away and actual packet contents are no longer available. Short-term capture and analysis tools can typically detect threats only when the triggers are known in advance but can act in real-time.
Historical capture and analysis stores all captured packets for further analysis, after the data has already crossed the network. As DPI and analysis tools deliver alerts, the historical record can be analyzed to apply context to the alert, answering the question “what happened leading up to, and after, the alert?”
.
(LEA) to produce all network traffic generated by an individual. Internet service provider
s and VoIP providers in the United States of America must comply with CALEA (Communications Assistance for Law Enforcement Act
) regulations. Deep Packet Capture provides a record of all network activities. Using packet capture and storage, telecommunications carriers can provide the legally required secure and separate access to targeted network traffic and are able to use the same device for internal security purposes. DPC probes can provide lossless capture of target traffic without compromising network performance. However DPC appliances may be unable to provide chain of evidence audit logs, or satisfactory security for use in this application. Collection of data from a carrier system without a warrant is illegal due to laws about interception.
Packet capturing for forensic investigations
can also be performed reliably with free open source tools and systems, such as FreeBSD and dumpcap.
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
. Deep packet capture (DPC) is the act of capturing, at full network speed, complete network packets (header and payload) crossing a network with a high traffic rate. Once captured and stored, either in short-term memory or long-term storage, software tools can perform Deep packet inspection
Deep packet inspection
Deep Packet Inspection is a form of computer network packet filtering that examines the data part of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions or predefined criteria to decide if the packet can...
(DPI) to review network packet data, perform forensics analysis to uncover the root cause of network problems, identify security threats, and ensure data communications and network usage complies with outlined policy. Some DPCs can be coupled with DPI and can as a result manage, inspect, and analyze all network traffic in real-time at wire speeds while keeping a historical archive of all network traffic for further analysis.
Partial packet capture can record headers without recording the total content of datagrams. This can reduce storage requirements, and avoid legal problems, but yet have enough data to reveal the essential information required for problem diagnosis.
Filtering
Packet capture can either capture the entire data stream or capture a filtered portion of stream.Complete capture
Packet capture has the ability to capture packet data from the data link layerData link layer
The data link layer is layer 2 of the seven-layer OSI model of computer networking. It corresponds to, or is part of the link layer of the TCP/IP reference model....
on up (layers 2-7) of the OSI model
OSI model
The Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
. This includes headers and payload. Headers include information about what is contained in the packet and could be synonymous to an address or other printed information on the outside of an envelope. The payload includes the actual content of the packet and therefore synonymous to the contents of the envelope. Complete capture encompasses every packet that crosses a network segment, regardless of source, protocol or other distinguishing bits of data in the packet. Complete capture is the unrestricted, unfiltered, raw capture of all network packets.
Filtered capture
Packet capture devices may have the ability to limit capture of packets by protocol, IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
, MAC address
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
, etc. With the application of filters, only complete packets that meet the criteria of the filter (header and payload) are captured, diverted, or stored.
Historical capture and analysis
Once data is captured, it can be analyzed right away or stored and analyzed later.Many deep packet inspection tools rely on real-time inspection of data as it crosses the network, using known criteria for analysis. DPI tools make real-time decisions on what to do with packet data, perform designated analysis and act on the results. If packets are not stored after capture, they may be flushed away and actual packet contents are no longer available. Short-term capture and analysis tools can typically detect threats only when the triggers are known in advance but can act in real-time.
Historical capture and analysis stores all captured packets for further analysis, after the data has already crossed the network. As DPI and analysis tools deliver alerts, the historical record can be analyzed to apply context to the alert, answering the question “what happened leading up to, and after, the alert?”
Identifying security breaches
Analysis of historical data captured with DPC assists in pinpointing the source of the intrusion. DPC can capture network traffic accessing certain servers and other systems to verify that the traffic flows belong to authorized employees. However this technique cannot function as an intrusion prevention system.Identifying data leakage
Analyzing historical data flows captured with DPC assists in content monitoring and identifying data leaks and pinpointing their source. Analysis of DPC data can also reveal what files that have been sent out from the network.Network Troubleshooting
If an adverse event is detected on a network, its cause or source can be more reliably determined if the administrator has access to complete historical data. DPC can capture all packets on important network links continuously. When an event happens, a network administrator can then assess the exact circumstances surrounding a performance event, take corrective action, and ensure that the problem will not reoccur. This helps reduce the Mean Time To RepairMean time to repair
Mean time to repair is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed component or device. Expressed mathematically, it is the total corrective maintenance time divided by the total number of corrective maintenance actions...
.
Lawful intercept
Packet capture can be used to fulfill a warrant from a law enforcement agencyLaw enforcement agency
In North American English, a law enforcement agency is a government agency responsible for the enforcement of the laws.Outside North America, such organizations are called police services. In North America, some of these services are called police while others have other names In North American...
(LEA) to produce all network traffic generated by an individual. Internet service provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s and VoIP providers in the United States of America must comply with CALEA (Communications Assistance for Law Enforcement Act
Communications Assistance for Law Enforcement Act
The Communications Assistance for Law Enforcement Act is a United States wiretapping law passed in 1994, during the presidency of Bill Clinton...
) regulations. Deep Packet Capture provides a record of all network activities. Using packet capture and storage, telecommunications carriers can provide the legally required secure and separate access to targeted network traffic and are able to use the same device for internal security purposes. DPC probes can provide lossless capture of target traffic without compromising network performance. However DPC appliances may be unable to provide chain of evidence audit logs, or satisfactory security for use in this application. Collection of data from a carrier system without a warrant is illegal due to laws about interception.
Detecting data loss
In the event that an intrusion allowed information (credit card numbers, social security numbers, medical records, etc.) to be stolen, an administrator could verify exactly which information was stolen and which information was safe. This could be very helpful in the event of litigation or in the case of a credit card company receiving possibly fraudulent claims of unauthorized purchases on cards whose numbers were not compromised.Verifying security fixes
If an exploit or intrusion was monitored via DPC, a system administrator may replay that attack against systems which have been patched to prevent the attack. This will help the administrator know whether or not their fix worked.Forensics
Once an intrusion, virus, worm or other problem has been detected on a network, historical data may allow a system administrator to determine, conclusively, exactly how many systems were affected. All traffic or a selected segment on any given interface can be captured with a DPC appliance. Triggers can be set up to capture certain events or breaches. When an event triggers, the device can send e-mail notifications and SNMP traps. Once a particular attack or signature has been identified, every packet included in that event is available, both in raw packet form or accurately rendered in its original format.Packet capturing for forensic investigations
Network forensics
Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and...
can also be performed reliably with free open source tools and systems, such as FreeBSD and dumpcap.
Benchmarking performance
If performance suddenly takes a hit, the historical data allows an administrator to view a specific window of time and determine the cause of the performance issues.See also
- CapsaCapsaCapsa is the name for a family of packet analyzer developed by Colasoft for network administrators to monitor, troubleshoot and analysis wired & wireless networks...
- Intrusion detectionIntrusion detectionIn Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human intervention, then it becomes an Intrusion-prevention...
- Logic analyzerLogic analyzerA logic analyzer is an electronic instrument which displays signals in a digital circuit. A logic analyzer may convert the captured data into timing diagrams, protocol decodes, state machine traces, assembly language, or correlate assembly with source-level software.Presently, there are three...
- NetwitnessNetwitnessNetWitness is a Reston, Virginia-based network security company that provides real-time network forensics and automated threat analysis solutions. It markets its flagship product NetWitness NextGen.-History:...
- Network tapNetwork tapA network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network...
- NiksunNiksunNIKSUN, Inc. is a privately-held multinational corporation headquartered in Princeton, New Jersey,USA, that delivers real-time, forensics-based cybersecurity and performance solutions. NIKSUN was established in 1997 by Dr. Parag Pruthi...
NetDetector - OmniPeekOmniPeekOmniPeek is a packet analyzer software tool from WildPackets Inc.. It is used for network troubleshooting and protocol analysis. It supports a plugin API.- History :...
- OPNETOPNETOPNET Technologies, Inc. is a software business that provides performance analysis for computer networks and applications.The company was founded in 1986 and went public in 2000. It is headquartered in Bethesda, Maryland and has offices in Cary, North Carolina; Nashua, New Hampshire; Dallas,...
AppTransaction Xpert - Packet snifferPacket snifferA packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...
- Snort (software)Snort (software)Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...
- WiresharkWiresharkWireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...
(formerly known as Ethereal)