379:
features, to protect the recorded network data from access by unauthorized parties. If deploying a packet capture appliance introduces too many additional concerns about security, the cost of securing it may outweigh the benefits. The best approach would be for the packet capture appliance to have built-in security features. These security features may include encryption, or methods to “hide” the appliance's presence on the network. For example, some packet capture appliances feature “electronic invisibility”, where they have a stealthy network profile by not requiring or using IP nor MAC addresses.
349:
Packet capture appliances with overwritable storage are easier to manage because once they reach capacity they will start overwriting the oldest captured data with the new, however, network administrators run the risk of losing important capture data when it gets overwritten. In general, packet capture appliances with overwrite capabilities are useful for simple monitoring or testing purposes, for which a permanent record is not necessary. Permanent, non-overwritable recording is a must for network forensics information gathering.
190:
various vantage points is indispensable in reducing time to resolution and narrowing down which parts of the network ultimately were affected. By placing packet capture appliances at the entry point and in front of each work group, following the path of a particular transmission deeper into the network would be simplified and much quicker. Additionally, the appliances placed in front of the workgroups would show intranet transmissions that the appliance located at the entry point would not be able to capture.
25:
186:
incident response investigations; scalability; no single point of failure – if one fails, you have the others; if combined with electronic invisibility, this approach practically eliminates the danger of unauthorized access by hackers; low cost. Cons: potential increased maintenance of multiple appliances.
387:
to accomplish this is to incorporate a manual disable, such as a switch or toggle that allows the user to physically disable remote access. This simple solution is very effective, as it is doubtful that a hacker would have an easy time gaining physical access to the appliance in order to flip a switch.
176:
With a centralized approach, one high-capacity, high-speed packet capture appliance connects to a data-aggregation point. The advantage of a centralized approach is that with one appliance you gain visibility over the network's entire traffic. This approach, however, creates a single point of failure
386:
Despite the benefits, the ability to control a packet capture appliance from a remote machine presents a security issue that could make the appliance vulnerable. Packet capture appliances that allow remote access should have a robust system in place to protect it against unauthorized access. One way
390:
A final consideration is physical security. All the network security features in the world are moot if someone is simply able to steal the packet capture appliance or make a copy of it and have ready access to the data stored on it. Encryption is one of the best ways to address this concern, though
340:
packets. The peak capture speed can only be maintained for short period of time, until the appliance's buffers fill up and it starts losing packets. Many packet capture appliances share the same peak capture speed of 1 Gbit/s, but actual sustained speeds vary significantly from model to model.
312:
Intelligent packet capture uses machine learning to filter and reduce the amount of network traffic captured. Traditional filtered packet capture relies on rules and policies which are manually configured to capture all potentially malicious traffic. Intelligent packet capture uses machine learning
189:
In the past, packet capture appliances were sparingly deployed, oftentimes only at the point of entry into a network. Packet capture appliances can now be deployed more effectively at various points around the network. When conducting incident response, the ability to see the network data flow from
348:
A packet capture appliance with permanent storage is ideal for network forensics and permanent record-keeping purposes because the data captured cannot be overwritten, altered or deleted. The only drawback of permanent storage is that eventually the appliance becomes full and requires replacement.
339:
The sustained captured speed is the rate at which a packet capture appliance can capture and record packets without interruption or error over a long period of time. This is different from the peak capture rate, which is the highest speed at which a packet capture appliance can capture and record
330:
the captured data before saving it to disk, while others do not. Considering the breadth of information that travels on a network or internet connection and that at least a portion of it could be considered sensitive, encryption is a good idea for most situations as a measure to keep the captured
185:
With a decentralized approach you place multiple appliances around the network, starting at the point(s) of entry and proceeding downstream to deeper network segments, such as workgroups. The advantages include: no network re-configuration required; ease of deployment; multiple vantage points for
378:
Since packet capture appliances capture and store a large amount of data on network activity, including files, emails and other communications, they could, in themselves, become attractive targets for hacking. A packet capture appliance deployed for any length of time should incorporate security
382:
Though connecting a packet capture appliance via a SPAN port appears to make it more secure, the packet capture appliance would ultimately still have to be connected to the network in order to allow management and data retrieval. Though not accessible via the SPAN link, the appliance would be
365:
packet capture appliance to handle the large volume of data coming to it from all over the network. A more effective way is to use multiple 1 Gbit/s inline packet capture appliances placed strategically around the network so that there is no need to re-engineer a gigabit network to fit a
299:
or protocol. Unless using the packet capture appliance for a very specific purpose covered by the filter parameters, it is generally best to use full packet capture appliances or otherwise risk missing vital data. Particularly when using a packet capture for network forensics or cybersecurity
198:
Packet capture appliances come with capacities ranging from 500 GB to 192 TB and more. Only a few organizations with extremely high network usage would have use for the upper ranges of capacities. Most organizations would be well served with capacities from 1 TB to 4 TB.
132:
In general, packet capture appliances capture and record all network packets in full (both header and payload), however, some appliances may be configured to capture a subset of a network's traffic based on user-definable filters. For many applications, especially
300:
purposes, it is paramount to capture everything because any packet not captured on the spot is a packet that is gone forever. It is impossible to know ahead of time the specific characteristics of the packets or transmissions needed, especially in the case of an
145:
The network data that a packet capture appliance captures depends on where and how the appliance is installed on a network. There are two options for deploying packet capture appliances on a network. One option is to connect the appliance to the SPAN port
129:. Packet capture appliances may be deployed anywhere on a network, however, most commonly are placed at the entrances to the network (i.e. the internet connections) and in front of critical equipment, such as servers containing sensitive information.
317:
feeds, to scientifically target and capture the most threatening traffic. Machine learning techniques for network intrusion detection, traffic classification, and anomaly detection are used to identify potentially malicious traffic for collection.
202:
A good rule of thumb when choosing capacity is to allow 1 GB per day for heavy users down to 1 GB per month for regular users. For a typical office of 20 people with average usage, 1 TB would be sufficient for about 1 to 4 years.
164:
When connected inline, the packet capture appliances captures only the network traffic traveling between two points, that is, traffic that passes through the cable to which the packet capture appliance is connected.
291:
Full packet capture appliances capture and record all
Ethernet/IP activity, while filtered packet capture appliances capture only a subset of traffic based on a set of user-definable filters; such as
361:
speed networks and will continue to do so for some time. If a business intends to use one centralized packet capture appliance to aggregate all network data, it would probably be necessary to use a
177:
that is a very attractive target for hackers; additionally, one would have to re-engineer the network to bring traffic to appliance and this approach typically involves high costs.
137:
and incident response, it is critical to conduct full packet capture, though filtered packet capture may be used at times for specific, limited information gathering purposes.
304:(APT). APTs and other hacking techniques rely for success on network administrators not knowing how they work and thus not having solutions in place to counteract them.
154:
or router. A second option is to connect the appliance inline, so that network activity along a network route traverses the appliance (similar in configuration to a
161:
When connected via a SPAN port, the packet capture appliance may receive and record all
Ethernet/IP activity for all of the ports of the switch or router.
763:
816:
42:
662:
600:
Buczak, Anna; Guven, Erhan (26 October 2015). "A Survey of Data Mining and
Machine Learning Methods for Cyber Security Intrusion Detection".
535:
499:
789:
639:. 2007 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems. pp. 310–317.
89:
821:
61:
108:
687:
68:
46:
75:
331:
data secure. Encryption is also a critical element of authentication of data for the purposes of data/network forensics.
826:
158:, but the information is captured and stored by the packet capture appliance rather than passing on to another device).
57:
714:
301:
35:
314:
767:
738:
640:
168:
There are two general approaches to deploying packet capture appliances: centralized and decentralized.
82:
645:
400:
692:. Second Workshop on Tackling Computer Systems Problems with Machine Learning Techniques (SysML07)
668:
617:
658:
531:
495:
430:
134:
525:
489:
650:
609:
358:
410:
405:
151:
147:
126:
810:
621:
672:
449:
278:
The ratio 100/0 means simplex traffic on real links you can have even more traffic
575:
296:
155:
24:
613:
551:
292:
654:
327:
715:"Packet Analyzer - Network Analysis & Scanning Tool | SolarWinds"
367:
362:
391:
some packet capture appliances also feature tamperproof enclosures.
790:"Protecting Admin Passwords During Remote Response and Forensics"
637:
A Machine
Learning Approach for Efficient Traffic Classification
686:
Ahmed, Tarem; Oreshkin, Boris; Coates, Mark (April 10, 2007).
18:
689:
Machine
Learning Approaches to Network Anomaly Detection
450:"Network Forensics: Tracking Hackers Through Cyberspace"
552:"Storage Capacity - IPCopper Packet Capture Appliances"
764:"Passive Network Security Analysis with NetworkMiner"
576:"KDD Cup 1999: Computer Network Intrusion Detection"
49:. Unsourced material may be challenged and removed.
709:
707:
635:Li, Wei; Moore, Andrew W. (24–26 October 2007).
335:Sustained capture speed vs. peak capture speed
8:
602:IEEE Communications Surveys & Tutorials
527:Computer and Information Security Handbook
644:
109:Learn how and when to remove this message
205:
422:
739:"Gigabit Ethernet – Is it the future?"
125:is a standalone device that performs
7:
519:
517:
515:
513:
511:
483:
481:
479:
477:
475:
473:
471:
469:
467:
465:
383:accessible via the management link.
47:adding citations to reliable sources
344:Permanent vs. overwritable storage
14:
431:"What is Network Packet Capture?"
322:Encrypted vs. unencrypted storage
817:Packets (information technology)
766:. Forensic Focus. Archived from
313:models, including features from
287:Filtered vs. full packet capture
23:
326:Some packet capture appliances
34:needs additional citations for
1:
524:Vacca, John R. (2012-11-05).
488:Vacca, John R. (2013-08-26).
491:Network and System Security
843:
614:10.1109/COMST.2015.2494502
308:Intelligent packet capture
302:advanced persistent threat
58:"Packet capture appliance"
16:Networking hardware device
822:Computer network security
315:Cyber threat intelligence
788:Mike Pilkington (2010).
123:packet capture appliance
762:Erik Hjelmvik (2008).
655:10.1109/MASCOTS.2007.2
209:Link speed ratio 100/0
357:Most businesses use
43:improve this article
827:Networking hardware
401:Intrusion detection
743:ComputerWeekly.com
719:www.solarwinds.com
664:978-1-4244-1853-4
537:978-0-12-394612-6
501:978-0-12-416695-0
448:Sherri Davidoff.
276:
275:
135:network forensics
119:
118:
111:
93:
834:
801:
800:
798:
797:
785:
779:
778:
776:
775:
759:
753:
752:
750:
749:
735:
729:
728:
726:
725:
711:
702:
701:
699:
697:
683:
677:
676:
648:
632:
626:
625:
608:(2): 1153–1176.
597:
591:
590:
588:
586:
572:
566:
565:
563:
562:
556:www.ipcopper.com
548:
542:
541:
521:
506:
505:
485:
460:
459:
457:
456:
445:
439:
438:
427:
359:Gigabit Ethernet
243:Data on Disc/min
226:Data on Disc/sec
206:
114:
107:
103:
100:
94:
92:
51:
27:
19:
842:
841:
837:
836:
835:
833:
832:
831:
807:
806:
805:
804:
795:
793:
787:
786:
782:
773:
771:
761:
760:
756:
747:
745:
737:
736:
732:
723:
721:
713:
712:
705:
695:
693:
685:
684:
680:
665:
646:10.1.1.219.6221
634:
633:
629:
599:
598:
594:
584:
582:
574:
573:
569:
560:
558:
550:
549:
545:
538:
523:
522:
509:
502:
487:
486:
463:
454:
452:
447:
446:
442:
429:
428:
424:
419:
397:
376:
355:
346:
337:
324:
310:
289:
284:
260:Data on Disc/hr
221:40 Gbit/s
212:100 Mbit/s
196:
183:
174:
143:
115:
104:
98:
95:
52:
50:
40:
28:
17:
12:
11:
5:
840:
838:
830:
829:
824:
819:
809:
808:
803:
802:
780:
754:
730:
703:
678:
663:
627:
592:
567:
543:
536:
507:
500:
461:
440:
435:www.endace.com
421:
420:
418:
415:
414:
413:
411:Packet sniffer
408:
406:Packet capture
403:
396:
393:
375:
372:
354:
353:GbE vs. 10 GbE
351:
345:
342:
336:
333:
323:
320:
309:
306:
288:
285:
283:
280:
274:
273:
270:
267:
264:
261:
257:
256:
253:
250:
247:
244:
240:
239:
236:
233:
230:
227:
223:
222:
219:
218:10 Gbit/s
216:
213:
210:
195:
192:
182:
179:
173:
170:
152:network switch
148:port mirroring
142:
139:
127:packet capture
117:
116:
31:
29:
22:
15:
13:
10:
9:
6:
4:
3:
2:
839:
828:
825:
823:
820:
818:
815:
814:
812:
791:
784:
781:
770:on 2012-02-23
769:
765:
758:
755:
744:
740:
734:
731:
720:
716:
710:
708:
704:
691:
690:
682:
679:
674:
670:
666:
660:
656:
652:
647:
642:
638:
631:
628:
623:
619:
615:
611:
607:
603:
596:
593:
581:
577:
571:
568:
557:
553:
547:
544:
539:
533:
529:
528:
520:
518:
516:
514:
512:
508:
503:
497:
493:
492:
484:
482:
480:
478:
476:
474:
472:
470:
468:
466:
462:
451:
444:
441:
436:
432:
426:
423:
416:
412:
409:
407:
404:
402:
399:
398:
394:
392:
388:
384:
380:
374:Data security
373:
371:
369:
364:
360:
352:
350:
343:
341:
334:
332:
329:
321:
319:
316:
307:
305:
303:
298:
294:
286:
281:
279:
271:
268:
265:
262:
259:
258:
254:
251:
248:
245:
242:
241:
237:
234:
231:
228:
225:
224:
220:
217:
215:1 Gbit/s
214:
211:
208:
207:
204:
200:
193:
191:
187:
181:Decentralized
180:
178:
171:
169:
166:
162:
159:
157:
153:
149:
140:
138:
136:
130:
128:
124:
113:
110:
102:
91:
88:
84:
81:
77:
74:
70:
67:
63:
60: –
59:
55:
54:Find sources:
48:
44:
38:
37:
32:This article
30:
26:
21:
20:
794:. Retrieved
783:
772:. Retrieved
768:the original
757:
746:. Retrieved
742:
733:
722:. Retrieved
718:
694:. Retrieved
688:
681:
636:
630:
605:
601:
595:
583:. Retrieved
579:
570:
559:. Retrieved
555:
546:
526:
494:. Elsevier.
490:
453:. Retrieved
443:
434:
425:
389:
385:
381:
377:
356:
347:
338:
325:
311:
290:
277:
201:
197:
188:
184:
175:
167:
163:
160:
144:
131:
122:
120:
105:
96:
86:
79:
72:
65:
53:
41:Please help
36:verification
33:
370:appliance.
297:MAC address
172:Centralized
156:network tap
811:Categories
796:2012-07-08
774:2012-07-08
748:2020-12-04
724:2020-12-04
561:2020-12-04
530:. Newnes.
455:2012-07-08
417:References
293:IP address
141:Deployment
69:newspapers
641:CiteSeerX
622:206577177
99:July 2012
395:See also
282:Features
255:300 GB
235:1.25 GB
194:Capacity
696:17 June
673:2037709
585:17 June
437:. 2023.
328:encrypt
272:18 TB
269:4.5 TB
266:450 GB
249:7.5 GB
246:750 MB
232:125 MB
229:12.5 MB
150:) on a
83:scholar
792:. SANS
671:
661:
643:
620:
580:SIGKDD
534:
498:
368:10 GbE
363:10 GbE
252:75 GB
238:5 GB
85:
78:
71:
64:
56:
669:S2CID
618:S2CID
263:45 GB
90:JSTOR
76:books
698:2019
659:ISBN
587:2019
532:ISBN
496:ISBN
62:news
651:doi
610:doi
45:by
813::
741:.
717:.
706:^
667:.
657:.
649:.
616:.
606:18
604:.
578:.
554:.
510:^
464:^
433:.
295:,
121:A
799:.
777:.
751:.
727:.
700:.
675:.
653::
624:.
612::
589:.
564:.
540:.
504:.
458:.
146:(
112:)
106:(
101:)
97:(
87:·
80:·
73:·
66:·
39:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.