Packet capture

Packet capture

Packet capture is the act of capturing data packets crossing a computer network. Deep packet capture (DPC) is the act of capturing, at full network speed, complete network packets (header and payload) crossing a network with a high traffic rate. Once captured and stored, either in short-term memory or long-term storage, software tools can perform Deep packet inspection (DPI) to review network packet data, perform forensics analysis to uncover the root cause of network problems, identify security threats, and ensure data communications and network usage complies with outlined policy. Some DPCs can be coupled with DPI and can as a result manage, inspect, and analyze all network traffic in real-time at wire speeds while keeping a historical archive of all network traffic for further analysis.[1]

Partial packet capture can record headers without recording the total content of datagrams. This can reduce storage requirements, and avoid legal problems, but yet have enough data to reveal the essential information required for problem diagnosis.



Packet capture can either capture the entire data stream or capture a filtered portion of stream.

Complete capture

Packet capture has the ability to capture packet data from the data link layer on up (layers 2-7) of the OSI model. This includes headers and payload. Headers include information about what is contained in the packet and could be synonymous to an address or other printed information on the outside of an envelope. The payload includes the actual content of the packet and therefore synonymous to the contents of the envelope. Complete capture encompasses every packet that crosses a network segment, regardless of source, protocol or other distinguishing bits of data in the packet. Complete capture is the unrestricted, unfiltered, raw capture of all network packets.

Filtered capture

Packet capture devices may have the ability to limit capture of packets by protocol, IP address, MAC address, etc. With the application of filters, only complete packets that meet the criteria of the filter (header and payload) are captured, diverted, or stored.

Historical capture and analysis

Once data is captured, it can be analyzed right away or stored and analyzed later.

Many deep packet inspection tools rely on real-time inspection of data as it crosses the network, using known criteria for analysis. DPI tools make real-time decisions on what to do with packet data, perform designated analysis and act on the results. If packets are not stored after capture, they may be flushed away and actual packet contents are no longer available. Short-term capture and analysis tools can typically detect threats only when the triggers are known in advance but can act in real-time.

Historical capture and analysis stores all captured packets for further analysis, after the data has already crossed the network. As DPI and analysis tools deliver alerts, the historical record can be analyzed to apply context to the alert, answering the question “what happened leading up to, and after, the alert?”[2]


Identifying security breaches

Analysis of historical data captured with DPC assists in pinpointing the source of the intrusion.[3] DPC can capture network traffic accessing certain servers and other systems to verify that the traffic flows belong to authorized employees.[4] However this technique cannot function as an intrusion prevention system.

Identifying data leakage

Analyzing historical data flows captured with DPC assists in content monitoring and identifying data leaks and pinpointing their source.[5][6] Analysis of DPC data can also reveal what files that have been sent out from the network.[7]

Network Troubleshooting

If an adverse event is detected on a network, its cause or source can be more reliably determined if the administrator has access to complete historical data. DPC can capture all packets on important network links continuously. When an event happens, a network administrator can then assess the exact circumstances surrounding a performance event, take corrective action, and ensure that the problem will not reoccur.[8] This helps reduce the Mean Time To Repair.

Lawful intercept

Packet capture can be used to fulfill a warrant from a law enforcement agency (LEA) to produce all network traffic generated by an individual. Internet service providers and VoIP providers in the United States of America must comply with CALEA (Communications Assistance for Law Enforcement Act) regulations. Deep Packet Capture provides a record of all network activities.[3] Using packet capture and storage, telecommunications carriers can provide the legally required secure and separate access to targeted network traffic and are able to use the same device for internal security purposes. DPC probes can provide lossless capture of target traffic without compromising network performance.[9] However DPC appliances may be unable to provide chain of evidence audit logs, or satisfactory security for use in this application. Collection of data from a carrier system without a warrant is illegal due to laws about interception.

Detecting data loss

In the event that an intrusion allowed information (credit card numbers, social security numbers, medical records, etc.) to be stolen, an administrator could verify exactly which information was stolen and which information was safe. This could be very helpful in the event of litigation or in the case of a credit card company receiving possibly fraudulent claims of unauthorized purchases on cards whose numbers were not compromised.

Verifying security fixes

If an exploit or intrusion was monitored via DPC, a system administrator may replay that attack against systems which have been patched to prevent the attack. This will help the administrator know whether or not their fix worked.


Once an intrusion, virus, worm or other problem has been detected on a network, historical data may allow a system administrator to determine, conclusively, exactly how many systems were affected.[3] All traffic or a selected segment on any given interface can be captured with a DPC appliance. Triggers can be set up to capture certain events or breaches. When an event triggers, the device can send e-mail notifications and SNMP traps. Once a particular attack or signature has been identified, every packet included in that event is available, both in raw packet form or accurately rendered in its original format.[10]

Packet capturing for forensic investigations can also be performed reliably with free open source tools and systems, such as FreeBSD and dumpcap.[11]

Benchmarking performance

If performance suddenly takes a hit, the historical data allows an administrator to view a specific window of time and determine the cause of the performance issues.[3]

See also


  1. ^ "Press Release - Solera Networks and Bivio Networks announce product interoperability". Bivio Networks. 2007-10-07. Archived from the original on 2008-05-01. Retrieved 2008-03-15. 
  2. ^ (Business Wire) (2007-12-06). "Solera Networks Announces Advanced Deep Packet Inspection and Capture Solution for Full 10Gbps Speeds". Reuters. Retrieved 2007-03-13. 
  3. ^ a b c d Linda Musthaler (2007-07-16). "Rewind and replay what happens on your network". Network World. Retrieved 2008-03-13. 
  4. ^ "Capture Appliances". Solera Networks. 2008. Retrieved 2008-03-15. 
  5. ^ Tom Bowers (2007-02-05). "Getting started with content monitoring". Network World. Retrieved 2008-04-01. 
  6. ^ Andrew Conry-Murray (2008-12-15). "Startup Of The Week: NetWitness Is Like TiVo For IT". Information Week. Retrieved 2008-04-01. 
  7. ^ Erik Hjelmvik (2008). "Passive Network Security Analysis with NetworkMiner". Forensic Focus. Retrieved 2009-08-28. 
  8. ^ "Network Troubleshooting". Net Scout Systems, Inc.. 2008. Retrieved 2008-03-15. [dead link]
  9. ^ "Application overview". Endace. 2007. Archived from the original on 2008-03-04. Retrieved 2008-03-15. 
  10. ^ Paul Venezia (2003-07-11). "NetDetector captures intrusions". Infoworld. Retrieved 2008-03-15. 
  11. ^ "Sniffing Tutorial part 2 - Dumping Network Traffic to Disk", NETRESEC Network Security Blog, 2011

Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Packet analyzer — A packet analyzer (also known as a network analyzer, protocol analyzer, or sniffer, or for particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or a piece of computer hardware that can intercept and log… …   Wikipedia

  • Packet sniffer — Saltar a navegación, búsqueda En informática, un packet sniffer es un programa de captura de las tramas de red. Es algo común que, por topología de red y necesidad material, el medio de transmisión (cable coaxial, UTP, fibra óptica etc.) sea… …   Wikipedia Español

  • packet sniffer — noun (computing) A tool used to capture and decode packets of data being transmitted over a network • • • Main Entry: ↑pack …   Useful english dictionary

  • Packet sniffer — En informática, un packet sniffer es un programa de captura las tramas de red, y es generalmente utilizado con fines maliciosos, para gestion de red o con finalidad docente. Es algo común que, por topología de red y necesidad material, el medio… …   Enciclopedia Universal

  • Deep packet inspection — (DPI) (also called complete packet inspection and Information eXtraction IX ) is a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point, searching for… …   Wikipedia

  • Berkeley Packet Filter — The Berkeley Packet Filter or BPF provides, on some Unix like systems, a raw interface to data link layers, permitting raw link layer packets to be sent and received. In addition, if the driver for the network interface supports promiscuous mode …   Wikipedia

  • Royal Mail Steam Packet Company — Royal Mail Lines Création 1839 Dates clés …   Wikipédia en Français

  • Naufrages de la Royal Mail Steam Packet Company — La Royal Mail Steam Packet Company est une compagnie maritime britannique qui a existé de 1839 à 1972 (dénommée Royal Mail Lines à partir de sa liquidation puis refondation en 1932) et qui desservait essentiellement les liaisons transatlantiques… …   Wikipédia en Français

  • Comparison of packet analyzers — The following tables compare general and technical information for several packet analyzer software utilities. Please see the individual products articles for further information. This article is not all inclusive or necessarily up to date.… …   Wikipedia

  • pcap — libpcap Developer(s) The Tcpdump team Stable release 1.1.1 / April 7, 2010; 19 months ago (2010 04 07) Operating system Linux, Solaris, FreeBSD, NetB …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”