Packet’s don’t lie. Unless ..
- You don’t know where they came from
- You don't how they were captured
- You don't know whether filters were applied or there was any packet loss.
In short, if you don’t have context to go along with the packet data the packets themselves don't give you the entire picture.
What is Provenance?
Provenance™ is a mechanism for adding context to network packet capture data automatically as the packets are captured – like the meta data in digital images.
Provenance stores this context information in sequential records written into the packet stream as the packets are recorded – so the context always lives with the packet data.
Provenance is a feature supported by all EndaceProbe™ platforms.
Comparing Provenance and pcapNG
Like pcapng - the next generation pcap format - Provenance provides a mechanism for adding context to network packet capture data. But it differs in a significant way from pcapng in its basic design.
Whereas pcapng allows metadata to be added in header blocks, Provenance writes contextual data into sequential records in the packet stream as the packets are recorded. This makes it ideal for recording data that can vary over the course of the packet capture - such as optical power levels or the amount of clock drift from a time signal source.
Provenance is written into recorded packet streams that use ERF (Extensible Record Format) format and Provenance records can be read directly in tools, such as Wireshark, that support ERF format packet capture files.