Packet capture is the act of capturing data packets crossing a computer network. Deep packet capture (DPC) is the act of capturing, at full network speed, complete network packets (header and payload) crossing a network with a high traffic rate. Once captured and stored, either in short-term memory or long-term storage, software tools can perform Deep packet inspection (DPI) to review network packet data, perform forensics analysis to uncover the root cause of network problems, identify security threats, and ensure data communications and network usage complies with outlined policy. Some DPCs can be coupled with DPI and can as a result manage, inspect, and analyze all network traffic in real-time at wire speeds while keeping a historical archive of all network traffic for further analysis.[1]
Partial packet capture can record headers without recording the total content of datagrams. This can reduce storage requirements, and avoid legal problems, but yet have enough data to reveal the essential information required for problem diagnosis.
Contents |
Packet capture can either capture the entire data stream or capture a filtered portion of stream.
Packet capture has the ability to capture packet data from the data link layer on up (layers 2-7) of the OSI model. This includes headers and payload. Headers include information about what is contained in the packet and could be synonymous to an address or other printed information on the outside of an envelope. The payload includes the actual content of the packet and therefore synonymous to the contents of the envelope. Complete capture encompasses every packet that crosses a network segment, regardless of source, protocol or other distinguishing bits of data in the packet. Complete capture is the unrestricted, unfiltered, raw capture of all network packets.
Packet capture devices may have the ability to limit capture of packets by protocol, IP address, MAC address, etc. With the application of filters, only complete packets that meet the criteria of the filter (header and payload) are captured, diverted, or stored.
Once data is captured, it can be analyzed right away or stored and analyzed later.
Many deep packet inspection tools rely on real-time inspection of data as it crosses the network, using known criteria for analysis. DPI tools make real-time decisions on what to do with packet data, perform designated analysis and act on the results. If packets are not stored after capture, they may be flushed away and actual packet contents are no longer available. Short-term capture and analysis tools can typically detect threats only when the triggers are known in advance but can act in real-time.
Historical capture and analysis stores all captured packets for further analysis, after the data has already crossed the network. As DPI and analysis tools deliver alerts, the historical record can be analyzed to apply context to the alert, answering the question “what happened leading up to, and after, the alert?”[2]
Analysis of historical data captured with DPC assists in pinpointing the source of the intrusion.[3] DPC can capture network traffic accessing certain servers and other systems to verify that the traffic flows belong to authorized employees.[4] However this technique cannot function as an intrusion prevention system.
Analyzing historical data flows captured with DPC assists in content monitoring and identifying data leaks and pinpointing their source.[5][6] Analysis of DPC data can also reveal what files that have been sent out from the network.[7]
If an adverse event is detected on a network, its cause or source can be more reliably determined if the administrator has access to complete historical data. DPC can capture all packets on important network links continuously. When an event happens, a network administrator can then assess the exact circumstances surrounding a performance event, take corrective action, and ensure that the problem will not reoccur.[8] This helps reduce the Mean Time To Repair.
Packet capture can be used to fulfill a warrant from a law enforcement agency (LEA) to produce all network traffic generated by an individual. Internet service providers and VoIP providers in the United States of America must comply with CALEA (Communications Assistance for Law Enforcement Act) regulations. Deep Packet Capture provides a record of all network activities.[3] Using packet capture and storage, telecommunications carriers can provide the legally required secure and separate access to targeted network traffic and are able to use the same device for internal security purposes. DPC probes can provide lossless capture of target traffic without compromising network performance.[9] However DPC appliances may be unable to provide chain of evidence audit logs, or satisfactory security for use in this application. Collection of data from a carrier system without a warrant is illegal due to laws about interception.
In the event that an intrusion allowed information (credit card numbers, social security numbers, medical records, etc.) to be stolen, an administrator could verify exactly which information was stolen and which information was safe. This could be very helpful in the event of litigation or in the case of a credit card company receiving possibly fraudulent claims of unauthorized purchases on cards whose numbers were not compromised.
If an exploit or intrusion was monitored via DPC, a system administrator may replay that attack against systems which have been patched to prevent the attack. This will help the administrator know whether or not their fix worked.
Once an intrusion, virus, worm or other problem has been detected on a network, historical data may allow a system administrator to determine, conclusively, exactly how many systems were affected.[3] All traffic or a selected segment on any given interface can be captured with a DPC appliance. Triggers can be set up to capture certain events or breaches. When an event triggers, the device can send e-mail notifications and SNMP traps. Once a particular attack or signature has been identified, every packet included in that event is available, both in raw packet form or accurately rendered in its original format.[10]
Packet capturing for forensic investigations can also be performed reliably with free open source tools and systems, such as FreeBSD and dumpcap.[11]
If performance suddenly takes a hit, the historical data allows an administrator to view a specific window of time and determine the cause of the performance issues.[3]