Packet capture

From Wikipedia, the free encyclopedia

Packet capture is the act of capturing data packets crossing a network. Deep packet capture (DPC) is the act of capturing complete network packets (header and payload) crossing a network. Once captured and stored, either in short-term memory or long-term storage, software tools can perform Deep packet inspection (DPI) to review network packet data, perform forensics analysis to uncover the root cause of network problems, identify security threats, and ensure data communications and network usage complies with outlined policy. Some DPCs can be coupled with DPI and can as a result manage, inspect, and analyze all network traffic in real-time at wire speeds while keeping a historical archive of all network traffic for further analysis.[1]

Partial packet capture can record headers without recording the total content of datagrams. This can reduce storage requirements, and avoid legal problems, but yet have enough data to reveal the essential information required for problem diagnosis.

Contents

[edit] Filtering

Packet capture can either capture the entire data stream or capture a filtered portion.

[edit] Complete capture

Packet capture has the ability to capture packet data from the data link layer on up (layers 2-7) of the OSI model. This includes headers and payload. Headers include information about what is contained in the packet and could be synonymous to an address or other printed information on the outside of an envelope. The payload includes the actual content of the packet and therefore synonymous to the contents of the envelope. Complete capture encompasses every packet that crosses a network segment, regardless of source, protocol or other distinguishing bits of data in the packet. Complete capture is the unrestricted, unfiltered, raw capture of all network packets.

[edit] Filtered capture

DPC devices may have the ability to limit capture of packets by protocol, IP address, MAC address, etc. With the application of filters, only complete packets that meet the criteria of the filter (header and payload) are captured, diverted, or stored.

[edit] Historical capture and analysis

Once data is captured, it can be analyzed right away or stored and analyzed later.

Many deep packet inspection tools rely on real-time inspection of data as it crosses the network, using known criteria for analysis. DPI tools make real-time decisions on what to do with packet data, perform designated analysis and act on the results. If packets are not stored after capture, they may be flushed away and actual packet contents are no longer available. Short-term capture and analysis tools can typically detect threats only when the triggers are known in advance but can act in real-time.

Historical capture and analysis stores all captured packets for further analysis, after the data has already crossed the network. As DPI and analysis tools deliver alerts, the historical record can be analyzed to apply context to the alert, answering the question “what happened leading up to, and after, the alert?”[2]

[edit] Use

[edit] Identifying security breaches

Analysis of historical data captured with DPC assists in pinpointing the source of the intrusion.[3] DPC can capture network traffic accessing certain servers and other systems to verify that the traffic flows belong to authorized employees.[4] However this technique cannot function as an intrusion prevention system.

[edit] Identifying data leakage

Analyzing historical data flows captured with DPC assists in content monitoring and identifying data leaks and pinpointing their source.[5][6]

[edit] Network Troubleshooting

If an adverse event is detected on a network, its cause or source can be more reliably determined if the administrator has access to complete historical data. DPC can capture all packets on important network links continuously. When an event happens, a network administrator can then assess the exact circumstances surrounding a performance event, take corrective action, and ensure that the problem will not reoccur.[7] This helps reduce the Mean Time To Repair.

[edit] Lawful intercept

Packet capture can be used to fulfill a warrant from a law enforcement agency (LEA) to produce all network traffic generated by an individual. Internet service providers and VoIP providers in the United States of America must comply with CALEA (Communications Assistance for Law Enforcement Act) regulations. Deep Packet Capture provides a record of all network activities.[3] Using packet capture and storage, telecommunications carriers can provide the legally required secure and separate access to targeted network traffic and are able to use the same device for internal security purposes. DPC probes can provide lossless capture of target traffic without compromising network performance.[8] However DPC appliances may be unable to provide chain of evidence audit logs, or satisfactory security for use in this application. Collection of data from a carrier system without a warrant is illegal due to laws about interception.

[edit] Detecting data loss

In the event that an intrusion allowed information (credit card numbers, social security numbers, medical records, etc…) to be stolen, an administrator could verify exactly which information was stolen and which information was safe. This could be very helpful in the event of litigation or in the case of a credit card company receiving possibly fraudulent claims of unauthorized purchases on cards whose numbers were not compromised.

[edit] Verifying security fixes

If an exploit or intrusion was monitored via DPC, a system administrator may replay that attack against systems which have been patched to prevent the attack. This will help the administrator know whether or not her fix worked.

[edit] Forensics

Once an intrusion, virus, worm or other problem has been detected on a network, historical data may allow a system administrator to determine, conclusively, exactly how many systems were affected.[3] All traffic or a selected segment on any given interface can be captured with a DPC appliance. Triggers can be setup to capture certain events or breaches. When an event triggers, the device can send e-mail notifications and SNMP traps. Once a particular attack or signature has been identified, every packet comprising that event is available, both in raw packet form or accurately rendered in its original format.[9]

[edit] Benchmarking performance

If performance suddenly takes a hit, the historical data allows an administrator to view a specific window of time and determine the cause of the performance issues.[3]

[edit] See also

[edit] References

  1. ^ Press Release - Solera Networks and Bivio Networks announce product interoperability (English). Bivio Networks (2007-10-07). Retrieved on 2008-03-15.
  2. ^ (Business Wire) (2007-12-06). Solera Networks Announces Advanced Deep Packet Inspection and Capture Solution for Full 10Gbps Speeds (English). Reuters. Retrieved on 2007-03-13.
  3. ^ a b c d Linda Musthaler (2007-07-16). Rewind and replay what happens on your network (English). Network World. Retrieved on 2008-03-13.
  4. ^ Capture Appliances (English). Solera Networks (2008). Retrieved on 2008-03-15.
  5. ^ Tom Bowers (2007-02-05). Getting started with content monitoring (English). Network World. Retrieved on 2008-04-01.
  6. ^ Andrew Conry-Murray (2008-12-15). Startup Of The Week: NetWitness Is Like TiVo For IT (English). Information Week. Retrieved on 2008-04-01.
  7. ^ Network Troubleshooting (English). NetScout Systems, Inc. (2008). Retrieved on 2008-03-15.
  8. ^ Application overview (English). Endace (2007). Retrieved on 2008-03-15.
  9. ^ Paul Venezia (2003-07-11). NetDetector captures intrusions (English). Infoworld. Retrieved on 2008-03-15.