Packet capture appliance

Last updated July 25, 2023

A packet capture appliance is a standalone device that performs packet capture.^[1] Packet capture appliances may be deployed anywhere on a network, however, most commonly are placed at the entrances to the network (i.e. the internet connections) and in front of critical equipment, such as servers containing sensitive information.

In general, packet capture appliances capture and record all network packets in full (both header and payload), however, some appliances may be configured to capture a subset of a network's traffic based on user-definable filters. For many applications, especially network forensics and incident response, it is critical to conduct full packet capture, though filtered packet capture may be used at times for specific, limited information gathering purposes.^[2]

Deployment

The network data that a packet capture appliance captures depends on where and how the appliance is installed on a network. There are two options for deploying packet capture appliances on a network. One option is to connect the appliance to the SPAN port (port mirroring) on a network switch or router. A second option is to connect the appliance inline, so that network activity along a network route traverses the appliance (similar in configuration to a network tap, but the information is captured and stored by the packet capture appliance rather than passing on to another device).^[3]

When connected via a SPAN port, the packet capture appliance may receive and record all Ethernet/IP activity for all of the ports of the switch or router.^[4]

When connected inline, the packet capture appliances captures only the network traffic traveling between two points, that is, traffic that passes through the cable to which the packet capture appliance is connected.^[3]

There are two general approaches to deploying packet capture appliances: centralized and decentralized.

Centralized

With a centralized approach, one high-capacity, high-speed packet capture appliance connects to a data-aggregation point. The advantage of a centralized approach is that with one appliance you gain visibility over the network's entire traffic. This approach, however, creates a single point of failure that is a very attractive target for hackers; additionally, one would have to re-engineer the network to bring traffic to appliance and this approach typically involves high costs.^[4]

Decentralized

With a decentralized approach you place multiple appliances around the network, starting at the point(s) of entry and proceeding downstream to deeper network segments, such as workgroups. The advantages include: no network re-configuration required; ease of deployment; multiple vantage points for incident response investigations; scalability; no single point of failure – if one fails, you have the others; if combined with electronic invisibility, this approach practically eliminates the danger of unauthorized access by hackers; low cost. Cons: potential increased maintenance of multiple appliances.^[4]

In the past, packet capture appliances were sparingly deployed, oftentimes only at the point of entry into a network. Packet capture appliances can now be deployed more effectively at various points around the network. When conducting incident response, the ability to see the network data flow from various vantage points is indispensable in reducing time to resolution and narrowing down which parts of the network ultimately were affected. By placing packet capture appliances at the entry point and in front of each work group, following the path of a particular transmission deeper into the network would be simplified and much quicker. Additionally, the appliances placed in front of the workgroups would show intranet transmissions that the appliance located at the entry point would not be able to capture.^[3]

Capacity

Packet capture appliances come with capacities ranging from 500 GB to 192 TB and more. Only a few organizations with extremely high network usage would have use for the upper ranges of capacities. Most organizations would be well served with capacities from 1 TB to 4 TB.^[5]

A good rule of thumb when choosing capacity is to allow 1 GB per day for heavy users down to 1 GB per month for regular users. For a typical office of 20 people with average usage, 1 TB would be sufficient for about 1 to 4 years.^[3]

Link speed ratio 100/0	100 Mbit/s	1 Gbit/s	10 Gbit/s	40 Gbit/s
Data on Disc/sec	12.5 MB	125 MB	1.25 GB	5 GB
Data on Disc/min	750 MB	7.5 GB	75 GB	300 GB
Data on Disc/hr	45 GB	450 GB	4.5 TB	18 TB

The ratio 100/0 means simplex traffic on real links you can have even more traffic

Features

Filtered vs. full packet capture

Full packet capture appliances capture and record all Ethernet/IP activity, while filtered packet capture appliances capture only a subset of traffic based on a set of user-definable filters; such as IP address, MAC address or protocol. Unless using the packet capture appliance for a very specific purpose covered by the filter parameters, it is generally best to use full packet capture appliances or otherwise risk missing vital data. Particularly when using a packet capture for network forensics or cybersecurity purposes, it is paramount to capture everything because any packet not captured on the spot is a packet that is gone forever. It is impossible to know ahead of time the specific characteristics of the packets or transmissions needed, especially in the case of an advanced persistent threat (APT). APTs and other hacking techniques rely for success on network administrators not knowing how they work and thus not having solutions in place to counteract them.^[3]

Intelligent Packet Capture

Intelligent packet capture uses machine learning to filter and reduce the amount of network traffic captured. Traditional filtered packet capture relies on rules and policies which are manually configured to capture all potentially malicious traffic. Intelligent packet capture uses machine learning models, including features from Cyber threat intelligence feeds, to scientifically target and capture the most threatening traffic. Machine learning techniques for network intrusion detection,^[6]^[7] traffic classification,^[8] and anomaly detection ^[9] are used to identify potentially malicious traffic for collection.

Encrypted vs. unencrypted storage

Some packet capture appliances encrypt the captured data before saving it to disk, while others do not. Considering the breadth of information that travels on a network or internet connection and that at least a portion of it could be considered sensitive, encryption is a good idea for most situations as a measure to keep the captured data secure. Encryption is also a critical element of authentication of data for the purposes of data/network forensics.^[3]

Sustained capture speed vs. peak capture speed

The sustained captured speed is the rate at which a packet capture appliance can capture and record packets without interruption or error over a long period of time. This is different from the peak capture rate, which is the highest speed at which a packet capture appliance can capture and record packets. The peak capture speed can only be maintained for short period of time, until the appliance's buffers fill up and it starts losing packets. Many packet capture appliances share the same peak capture speed of 1 Gbit/s, but actual sustained speeds vary significantly from model to model.^[3]^[10]

Permanent vs. overwritable storage

A packet capture appliance with permanent storage is ideal for network forensics and permanent record-keeping purposes because the data captured cannot be overwritten, altered or deleted. The only drawback of permanent storage is that eventually the appliance becomes full and requires replacement. Packet capture appliances with overwritable storage are easier to manage because once they reach capacity they will start overwriting the oldest captured data with the new, however, network administrators run the risk of losing important capture data when it gets overwritten. In general, packet capture appliances with overwrite capabilities are useful for simple monitoring or testing purposes, for which a permanent record is not necessary. Permanent, non-overwritable recording is a must for network forensics information gathering.^[4]

GbE vs. 10 GbE

Most businesses use Gigabit Ethernet speed networks and will continue to do so for some time.^[11] If a business intends to use one centralized packet capture appliance to aggregate all network data, it would probably be necessary to use a 10 GbE packet capture appliance to handle the large volume of data coming to it from all over the network. A more effective way is to use multiple 1 Gbit/s inline packet capture appliances placed strategically around the network so that there is no need to re-engineer a gigabit network to fit a 10 GbE appliance.^[10]

Data security

Since packet capture appliances capture and store a large amount of data on network activity, including files,^[12] emails and other communications, they could, in themselves, become attractive targets for hacking. A packet capture appliance deployed for any length of time should incorporate security features, to protect the recorded network data from access by unauthorized parties. If deploying a packet capture appliance introduces too many additional concerns about security, the cost of securing it may outweigh the benefits. The best approach would be for the packet capture appliance to have built-in security features. These security features may include encryption, or methods to “hide” the appliance's presence on the network. For example, some packet capture appliances feature “electronic invisibility”, where they have a stealthy network profile by not requiring or using IP nor MAC addresses.^[4]

Though connecting a packet capture appliance via a SPAN port appears to make it more secure, the packet capture appliance would ultimately still have to be connected to the network in order to allow management and data retrieval. Though not accessible via the SPAN link, the appliance would be accessible via the management link.^[3]

Despite the benefits, the ability to control a packet capture appliance from a remote machine presents a security issue that could make the appliance vulnerable.^[13] Packet capture appliances that allow remote access should have a robust system in place to protect it against unauthorized access. One way to accomplish this is to incorporate a manual disable, such as a switch or toggle that allows the user to physically disable remote access. This simple solution is very effective, as it is doubtful that a hacker would have an easy time gaining physical access to the appliance in order to flip a switch.^[3]

A final consideration is physical security. All the network security features in the world are moot if someone is simply able to steal the packet capture appliance or make a copy of it and have ready access to the data stored on it. Encryption is one of the best ways to address this concern, though some packet capture appliances also feature tamperproof enclosures.^[3]

Related Research Articles

Ethernet is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in 1983 as IEEE 802.3. Ethernet has since been refined to support higher bit rates, a greater number of nodes, and longer link distances, but retains much backward compatibility. Over time, Ethernet has largely replaced competing wired LAN technologies such as Token Ring, FDDI and ARCNET.

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

<span class="mw-page-title-main">Intrusion detection system</span> Network protection device or software

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is often used for baselining application behavior, analyzing network usage, troubleshooting network performance, ensuring that data is in the correct format, checking for malicious code, eavesdropping, and internet censorship, among other purposes. There are multiple headers for IP packets; network equipment only needs to use the first of these for normal operation, but use of the second header is normally considered to be shallow packet inspection despite this definition.

A passive optical network (PON) is a fiber-optic telecommunications technology for delivering broadband network access to end-customers. Its architecture implements a point-to-multipoint topology in which a single optical fiber serves multiple endpoints by using unpowered (passive) fiber optic splitters to divide the fiber bandwidth among the endpoints. Passive optical networks are often referred to as the last mile between an Internet service provider (ISP) and its customers. Many fiber ISPs prefer this technology.

A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network.

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

A computer network is a set of computers sharing resources located on or provided by network nodes. Computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are made up of telecommunication network technologies based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies.

A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper output network interface controller to which the input interface should forward a packet. It is a dynamic table that maps MAC addresses to ports. It is the essential mechanism that separates network switches from Ethernet hubs. Content-addressable memory (CAM) is typically used to efficiently implement the FIB, thus it is sometimes called a CAM table.

Telesoft Technologies is a privately held UK based technology company which develops cyber security, telecoms mobile products and services and government infrastructure. Telesoft has operations in USA, UK and India.

In computing, managed security services (MSS) are network security services that have been outsourced to a service provider. A company providing such a service is a managed security service provider (MSSP) The roots of MSSPs are in the Internet Service Providers (ISPs) in the mid to late 1990s. Initially, ISP(s) would sell customers a firewall appliance, as customer premises equipment (CPE), and for an additional fee would manage the customer-owned firewall over a dial-up connection.

Juniper M series is a line of multiservice edge routers designed and manufactured by Juniper Networks, for enterprise and service provider networks. It spans over M7i, M10i, M40e, M120, and M320 platforms with 5 Gbit/s up to 160 Gbit/s of full-duplex throughput. The M40 router was the first product by Juniper Networks, which was released in 1998. The M-series routers run on JUNOS Operating System.

<span class="mw-page-title-main">Network forensics</span>

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

A data monitoring switch is a networking hardware appliance that provides a pool of monitoring tools with access to traffic from a large number of network links. It provides a combination of functionality that may include aggregating monitoring traffic from multiple links, regenerating traffic to multiple tools, pre-filtering traffic to offload tools, and directing traffic according to one-to-one and many-to-many port mappings.

A distributed firewall is a security application on a host machine of a network that protects the servers and user machines of its enterprise's networks against unwanted intrusion. A firewall is a system or group of systems that implements a set of security rules to enforce access control between two networks to protect the "inside" network from the "outside" network. They filter all traffic regardless of its origin—the Internet or the internal network. Usually deployed behind the traditional firewall, they provide a second layer of defense. The advantages of the distributed firewall allow security rules (policies) to be defined and pushed out on an enterprise-wide basis, which is necessary for larger enterprises.

<span class="mw-page-title-main">Firewall (computing)</span> Software or hardware-based network security system

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets, so that the Linux kernel does not need to copy packets from kernel space to user space via system calls such as recvmsg . libpcap, starting with release 1.0.0, also supports the zero-copy mechanism on Linux for capturing (RX_RING), so programs using libpcap also use that mechanism on Linux.

Cyberoam Technologies, a Sophos subsidiary, is a global network security appliances provider, with presence in more than 125 countries.

A next-generation firewall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functions, such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS). Other techniques might also be employed, such as TLS/SSL encrypted traffic inspection, website filtering, QoS/bandwidth management, antivirus inspection, third-party identity management integration ., and SSL decryption

Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.

References

↑ "What is Network Packet Capture?". www.endace.com. 2023.
↑ Sherri Davidoff. "Network Forensics: Tracking Hackers Through Cyberspace" . Retrieved 2012-07-08.
1 2 3 4 5 6 7 8 9 10 Vacca, John R. (2013-08-26). Network and System Security. Elsevier. ISBN 978-0-12-416695-0.
1 2 3 4 5 Vacca, John R. (2012-11-05). Computer and Information Security Handbook. Newnes. ISBN 978-0-12-394612-6.
↑ "Storage Capacity - IPCopper Packet Capture Appliances". www.ipcopper.com. Retrieved 2020-12-04.
↑ "KDD Cup 1999: Computer Network Intrusion Detection". SIGKDD. Retrieved 17 June 2019.
↑ Buczak, Anna; Guven, Erhan (26 October 2015). "A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection". IEEE Communications Surveys & Tutorials. 18 (2): 1153–1176. doi:10.1109/COMST.2015.2494502. S2CID 206577177.
↑ Li, Wei; Moore, Andrew W. (24–26 October 2007). "A Machine Learning Approach for Efficient Traffic Classification". 2007 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems. pp. 310–317. CiteSeerX 10.1.1.219.6221 . doi:10.1109/MASCOTS.2007.2. ISBN 978-1-4244-1853-4. S2CID 2037709.
↑ Ahmed, Tarem; Oreshkin, Boris; Coates, Mark (April 10, 2007). "Machine Learning Approaches to Network Anomaly Detection". Second Workshop on Tackling Computer Systems Problems with Machine Learning Techniques (SysML07). Retrieved 17 June 2019.
1 2 "Packet Analyzer - Network Analysis & Scanning Tool | SolarWinds". www.solarwinds.com. Retrieved 2020-12-04.
↑ "Gigabit Ethernet – Is it the future?". ComputerWeekly.com. Retrieved 2020-12-04.
↑ Erik Hjelmvik (2008). "Passive Network Security Analysis with NetworkMiner". Forensic Focus. Archived from the original on 2012-02-23. Retrieved 2012-07-08.
↑ Mike Pilkington (2010). "Protecting Admin Passwords During Remote Response and Forensics". SANS. Retrieved 2012-07-08.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Endace2023-1] "What is Network Packet Capture?". www.endace.com. 2023.

[2] Sherri Davidoff. "Network Forensics: Tracking Hackers Through Cyberspace" . Retrieved 2012-07-08.

[:0-3] 1 2 3 4 5 6 7 8 9 10 Vacca, John R. (2013-08-26). Network and System Security. Elsevier. ISBN 978-0-12-416695-0.

[:1-4] 1 2 3 4 5 Vacca, John R. (2012-11-05). Computer and Information Security Handbook. Newnes. ISBN 978-0-12-394612-6.

[5] "Storage Capacity - IPCopper Packet Capture Appliances". www.ipcopper.com. Retrieved 2020-12-04.

[6] "KDD Cup 1999: Computer Network Intrusion Detection". SIGKDD. Retrieved 17 June 2019.

[7] Buczak, Anna; Guven, Erhan (26 October 2015). "A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection". IEEE Communications Surveys & Tutorials. 18 (2): 1153–1176. doi:10.1109/COMST.2015.2494502. S2CID 206577177.

[8] Li, Wei; Moore, Andrew W. (24–26 October 2007). "A Machine Learning Approach for Efficient Traffic Classification". 2007 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems. pp. 310–317. CiteSeerX 10.1.1.219.6221 . doi:10.1109/MASCOTS.2007.2. ISBN 978-1-4244-1853-4. S2CID 2037709.

[9] Ahmed, Tarem; Oreshkin, Boris; Coates, Mark (April 10, 2007). "Machine Learning Approaches to Network Anomaly Detection". Second Workshop on Tackling Computer Systems Problems with Machine Learning Techniques (SysML07). Retrieved 17 June 2019.

[solarwinds.com-10] 1 2 "Packet Analyzer - Network Analysis & Scanning Tool | SolarWinds". www.solarwinds.com. Retrieved 2020-12-04.

[11] "Gigabit Ethernet – Is it the future?". ComputerWeekly.com. Retrieved 2020-12-04.

[12] Erik Hjelmvik (2008). "Passive Network Security Analysis with NetworkMiner". Forensic Focus. Archived from the original on 2012-02-23. Retrieved 2012-07-08.

[13] Mike Pilkington (2010). "Protecting Admin Passwords During Remote Response and Forensics". SANS. Retrieved 2012-07-08.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]