What is Network Packet Capture?
Network packet capture is essential to any team tasked with keeping IT systems or networks secure, operational and performing at their best.
You may have heard the phrase ‘packets don’t lie’? This refers to the fact that, in the event of a cybersecurity or network performance issue, capturing network packets is often the only way to determine exactly what happened, how it happened, and who or what was impacted.
This is an introduction for those who want to learn about packet capture and associated technologies.
- Contents
- What is an IP Packet?
- What is Packet Capture?
- How Does Packet Capture Work?
- Do I Need a SPAN, TAP or Network Packet Broker?
- Packet Capture File Formats
- What Different Types of Packet Capture are There?
- What is “Enterprise Class” Packet Capture?
- Is NetFlow the Same as Packet Capture?
- What is Packet Capture Used For?
- Packet Analysis and Protocol Decoding
- What is Packet Metadata?
- Extracting Information from Packet Captures
- Integrating Full Packet Capture into SIEM, SOAR, IDS, NDR, NPM, (and the Alphabet Soup!)
- Conclusion
What is an IP Packet?
Networks transfer information from one computer to the next in the form of packets.
Most common are Internet Protocol version 4 (IPv4) packets carried over Ethernet frames. IPv4 packets include a header and a payload. The header includes important information for routing the packet across the internet, including source and destination address and the payload contains the actual data being transmitted. Lots of valuable information can be obtained by decoding packets such as:
- where are these network packets being sent?
- who sent them?
- what’s being sent inside the packets?
Fortunately, we have software to do all the decoding for us so we humans can easily read what’s contained in the packets without having to be a protocol guru!
What is a packet header?
A packet header contains important information needed to deliver the packet to the right recipient. Header fields include source address, destination address, packet length, priority, and information about the payload or content of the packet.
What is the packet payload?
The packet payload contains the data to be transmitted over the network, it varies in length. Short payloads may fit within a single packet, long payloads may be divided into fragments with each fragment being sent over a separate packet. Analysing packet payloads can tell us a lot about what is being sent over a network and what protocols or applications are involved.
For more information about packet capture files read our What is a PCAP File introduction.
What is Packet Capture?
Network packet capture is the act of recording packets that traverse a computer network, including every packet header and packet payload. Once packets have been captured, IT personnel can view the header and payload of any captured packet using a GUI based decode viewer. Packet capture files can be saved in a common format file such as pcap, pcapng or erf (for more information about the ERF record format see erf)
Packet capture is used to investigate security threats or search for the root cause of network or performance issues. Logging and monitoring tools can alert you to an issue but often lack sufficient data for you to determine the root cause of the problem or extent of the threat.
Packet capture fills in essential missing details that you need in order to solve outages, performance issues or cybersecurity threats. Using packet capture speeds up the incident response process just like CCTV footage can speed up crime scene investigations.
How Does Packet Capture Work?
Network packet capture can be done in a variety of ways. At the most basic level, packets can be captured and recorded using packet capture software installed on a personal computer and setting a network card (NIC) to “promiscuous mode” to “listen” to all traffic on the network. Historically this was often referred to as “packet sniffing”.
More advanced packet capture solutions typically use dedicated packet capture hardware (or virtual machines in cloud environments) and are variously referred to as network recorders, network sniffers, network analyzers, packet analyzers or packet capture appliances.
In both cases, packet capture solutions receive all traffic on the network regardless of its intended destination. Every packet received on the monitoring port is written to disk. Other devices on the network are unaware of, and unaffected by, the packet capture process. This is often referred to as passive monitoring or out-of-band monitoring.
Do I Need a SPAN, TAP or Network Packet Broker?
A packet capture system needs access to a copy of the network traffic, that is where the terms SPAN, TAP or NPB come in.
A SPAN (Switched Port Analyzer) port, also known as mirror port, is a dedicated port on a switch, router or firewall that provides a copy of the traffic passing through the network. This is the cheapest and easiest method of connecting a packet capture system to record network traffic since SPAN ports are available on most networking devices deployed today. They can usually be configured with a few simple CLI commands. The downside to SPAN ports are that they don’t cope with high traffic rates and will drop packets when the SPAN port reaches its limit, that makes it difficult to troubleshoot a performance issue or outage when you don’t know if the packet was dropped by the network or dropped by the SPAN port.
A TAP (Test Access Point) is a 3-port hardware device inserted into the network link to provide an exact copy of the network packets. Unlike SPAN ports TAPs do not drop packets and don’t introduce extra delays. But they are more costly to install since they require extra hardware and cabling. Fibre TAPs are passive optical devices that require no power, they can be connected to singlemode or multimode fiber- optic networks. Copper TAPs are active devices that need power. They can connect to Ethernet links such as 10/100/1000BASE-T or 10GBASE-T. Connecting a packet capture system directly to a TAP is the most accurate and reliable way to record network traffic.
A Network Packet Broker (NPB) is a specialised switch for collecting and grooming monitored traffic from multiple TAPs or SPAN ports. Deploying an NPB provides flexibility and improved monitoring efficiency with capabilities such as aggregation, filtering, load balancing, replication, deduplication and selective monitoring. Connecting a packet capture system to an NPB enables simultaneous recording of multiple networks or network segments and gives you the ability to reconfigure the monitoring points you’re capturing from with a few clicks of the mouse.
Packet Capture File Formats
Packet capture files (also referred to as packet trace, network trace or pcap files) contain the content ("payload") of the actual packets that have traversed the network. The .pcap format is the most common file format. Packets are stored in a flat file along with timestamp and packet length information.
Next generation pcap (.pcapng) extends this with additional information about the packet and interface such as drop counters, DNS records, etc.
Extensible Record Format (.erf) adds Provenance metadata, high resolution timestamps and in-band packet loss auditing. Provenance metadata keeps critical information such as the originating system name and system status embedded within the file so forensics teams always know exactly where the erf file originated from.
For more information on Endace's erf (Extensible Record Format) see here.
Although .pcap is the most common format, .pcapng and .erf provide additional capability that standard pcap doesn’t support. Pcapng and erf formats are happily accepted by WiresharkTM and also supported by many other tools.
For more detailed information on pcap formats see our “What is a PCAP?” introduction.
What Different Types of Packet Capture are There?
On-Demand Packet Sniffing Versus Continuous Packet Capture
On-demand or ad-hoc packet sniffing is useful for troubleshooting immediate issues such as an outage or performance issue where a quick snapshot of current network activity is needed. On-demand packet sniffers are usually portable devices or software that can be attached to a SPAN or port mirror, they usually have limited packet capture storage and may require a datacentre technician to hook them up when trouble happens. Intermittent issues are difficult to capture with this approach, you may need to wait for the problem to happen again. It’s not a good idea to rely on on-demand capture for cyber security incident response because all the important stages of the attack will have already happened before starting capture.
Continuous packet capture (also known as "always-on packet capture"), like that implemented by EndaceProbes, uses a rotating buffer that continuously writes packets to a large RAID array. When the buffer is full, the oldest packet will be discarded to make space for the most recently received packet. This is useful when you need to go back in time to investigate issues that occurred a specific moment in the past - which could be hours, days or weeks ago. It is ideal for investigating cyber security threats or to discover the root cause of outages or performance issues that your customers report.
If you’re relying on packet evidence to remediate threats or resolve critical issues the packet capture system must have high levels of reliability and uptime. RAID arrays and special high-performance filesystems are employed on commercial packet capture systems, like EndaceProbe, to capture continuously 24hrs a day, 365 days a year for years on end.
Triggered Packet Capture
Triggered packet capture is sometimes used when there is limited storage for capturing packets, but this approach has serious downsides. A specific condition, such as a security alert must occur for packets to be stored to disk.
Firewalls or other security devices often have a small amount of RAM (~few GBytes) dedicated to triggered capture, but it’s usually not enough to investigate a threat or issue properly. If a new type of threat (zero day) occurs, there will be no pre-defined trigger and no critical packet evidence will be captured. No-one can predict what the next threat or issue will look like, making it impossible to define triggers that will reliably trigger packet capture in the event of new and emerging threats.
Truncated Packet Capture
The technique of storing only the packet header and discarding the payload to save storage space is known as truncating packets, snapping packets, or slicing packets. Simple truncation techniques include truncating all packets to a certain length, say 64 bytes, or truncating packets on a specific L4 port. These techniques can cause important information to be lost from capture such as exfiltrated files sent out a network, or the TLS handshake sequence used to negotiate encryption, so they should be used with care.
SmartTruncation™ is a patented method employed by EndaceProbes to look deep into the packet and apply truncation only to encrypted payloads whilst leaving important information fully intact like the TLS handshake, or packets on important L4 ports. This is a great way to save on storage whilst minimising information loss.
Filtered Packet Capture
Filtering packets prior to capture is another way to maximise storage. Network Packet Brokers are useful to pre-filter packet data before it’s captured, they often employ complex L2/3/4 and application layer filters to reduce the number of packets sent to the capture system. Packet capture systems like EndaceProbe also provide pre-capture filters that are applied to prior to capture.
Filtering works well when monitoring critical services or subnets, eg. Record all traffic on my finance network. Or when trying to exclude background traffic, e.g. exclude all Youtube traffic from being captured. Filtering provides focus on critical services and lengthens the time-period recorded.
What is “Enterprise Class” Packet Capture?
A packet capture system holds sensitive data; access to packet data needs to be tightly managed and extremely secure. It’s a critical tool that needs to be there to support you when fighting the hottest of fires - an outage of the packet capture system should never happen at the worst moment. Like other critical IT systems packet capture must be enterprise class. The solution must include the following properties that won’t exist in home grown or open source solutions:
- Designed for years of continuous operation, capturing high levels of real-world traffic under real world stress.
- Scalable to operate across large geographically distributed Enterprise networks.
- High levels of redundancy and reliability.
- Integrates with Enterprise IT systems for AAA, RBAC, Logging, etc.
- Robust security that restricts access to sensitive network packet captures to only those that need it.
- Centrally operated and managed.
- Centrally searchable.
- Up to date with the latest patches and security updates.
Is NetFlow the Same as Packet Capture?
The short answer is no, but NetFlow is a nice complement to packet capture. NetFlow’s strength is that it writes headlines. It gives you a very effective high-level view of what’s happened across your network by providing metadata: timestamps, senders’ / receivers’ IP addresses, the ports they communicated on, the length of the conversation and the amount of data transferred. Combining NetFlow and packet capture gives you the ability to monitor the network for problems, and the detailed packet information needed to reconstruct precisely what happened.
For more information about using NetFlow and full packet capture together see "NetFlow Versus Full Packet Capture"
What is Packet Capture Used For?
Packet Capture for Cybersecurity
Organizations face an increasing flood of security alerts every day. Without access to packet capture data, analysts are forced to reconstruct events by correlating multiple data sources such as log files and metadata. The process is slow and often inconclusive. Hackers may have deleted or modified logs, and metadata often doesn’t have the detail to show the exact chain of events and what was impacted.
Continuous packet capture (or "always-on packet capture") allows cyber security experts to see exactly what happened on the network at any specific moment in the past, so they can fully investigate and defend against even the toughest security threats - such as Zero Day Threats or Advanced Persistent Threats.
With access to packet captures, Security Operations (SecOps) analysts can examine the actual packets relating to a security alert and determine, conclusively, what happened. The result is a faster, more accurate response to security threats.
Packet Capture for Network Outages or Performance Issues
Why is my network slow? Why are my customers receiving poor quality of service? Why does the CEO’s Tuesday video conference always drop out?
These are important questions that you need to answer quickly - especially when research suggests the average cost of a network outage can total thousands or hundreds of thousands of dollars an hour depending on the size of the organization and the industry it is in!
Today's applications are built on complex, multi-tier architectures, making managing the performance of those applications challenging. Application problems can be caused by any one of those tiers, or by any one of the network components that link them together.
Was it the application or the network that caused the issue? Packet capture gives your teams 20/20 hindsight, allowing them to go back to the time of the incident and review packet by packet to understand the root cause of the issue.
Packet Analysis and Protocol Decoding
WiresharkTM is a popular open source packet decoder and analyzer tool that is installed easily on Windows or MacOS. It captures and displays network packets and is useful for viewing small packet capture files exported from other packet capture systems. Most users can be up and running within a few minutes of installation, capturing packets from any interface on their laptop, and viewing decodes using the Wireshark GUI. It also has a few nice, built-in analysis tools that can provide useful statistics or analyze telephony or wireless traffic.
There is an active community contributing new and enhanced packet decodes with regular software releases. There are also plenty of free online training courses from basic to advanced use of WiresharkTM and some excellent professional trainers delivering paid courses.
For those that love command-line tools tcpdump is a command-line packet analyser with many options and filters that are useful for adhoc analysis. It can be used to filter and analyse network packets in real-time, for simple capture of packets to a file, or for post capture filtering and analysis.
WiresharkTM and tcpdump only handle relatively small volumes of packet data, anything more than 1GB of packet data can cause them to grind to a halt and searching across a large capture file can be tedious. A dedicated continuous packet capture system like EndaceProbe is much better suited to capturing, searching, and analysing large packet captures from terabytes to petabytes. EndaceProbe makes use of WiresharkTM as a decode viewer, but implements much more efficient packet capture, metadata and fast search supporting weeks or months of continuous capture.
What is Packet Metadata?
Packet metadata may consist of data collected from both packet headers and packet payloads. It includes information about each packet such as the 5-tuple (IP source/destination, protocol, source/destination port), the application the packets relate to, timestamps, and other useful information. It’s usually stored in a database alongside the packet capture store and its main purpose is to speed up packet search. Metadata is also very useful for a first pass, high-level analysis of recorded network traffic when troubleshooting issues or investigating threats.
What is Deep Packet Inspection?
In addition to the standard (often called 5-tuple) metadata fields that are commonly indexed as packet data is recorded, it is also possible to examine the packets to extract additional information - such as the "application" that the packets relate to. This extraction of additional information from the packets and packet headers is called Deep Packet Inspection (or DPI for short).
The Importance of Indexed Metadata
When you are capturing billions of packets it’s very important to be able to quickly narrow in on the few packets that matter. Metadata is important for enabling analysts to be able to find relevant packets within packet capture files – for example zero in on DNS traffic, or all packets travelling between specific hosts. Without well-structured and well-indexed metadata, searching for packets related to a specific issue can painfully slow, especially when dealing with packet data containing more than a few minutes of network activity.
For example, a cyber threat investigation may require analysing all traffic to and from an external malicious IP address so you can answer key questions such as:
- Which hosts in my network communicated with the malicious IP?
- Was any malware downloaded or were command-and-control (C2) channels initiated?
- If a host was infected, did it start probing other hosts in my network?
- What, if any, sensitive data was stolen from my network?
Why Rapid Packet Search is Crucial
Powerful packet search that can return results in seconds is critical to the productivity of your team.
WiresharkTM and tcpdump implement rich BPF (Berkley Packet Filter) style filtering, but this is only useful if your dataset is small, i.e. under 1GB of packet data. If you’re analyzing days or weeks of network traffic, a dedicated packet capture appliance with rich metadata and powerful indexing will let you search through petabytes of packet capture data quickly. This will enable you to quickly answer key questions to rapidly neutralize a threat, resolve a performance issue or fix an outage.
Extracting Information from Packet Captures
Once you have captured packets, and narrowed in on the packets of interest, there are multiple ways to extract important information out of the packet header and packet payload data.
Packet metadata, like that captured by EndaceProbes, provides a great first level view without needing to look at the packets themselves. From the metadata you can instantly see traffic volumes over time, what applications are running, measure latency, see what conversations are occurring and how much data has been transferred for each conversation, identify port scanning activity, and zoom in or out in the timeline of traffic to look at precursor or post-event activity.
With full packet data on hand, you can reconstruct conversations or transactions and extract files contained within packets of interest. For example, malware files can be reconstructed from packet payloads and submitted to a sandbox or scanner for further analysis. Or sensitive files leaving your network can be reconstructed to determine the precise extent of any data leakage.
Packet data can be parsed to construct easy to read logs. Behaviours such as port scanning or probing can be identified easily in logs, and any weird behaviours such as tcp syn attacks, DNS issues, or illegal protocol actions can be highlighted.
To understand what occurred on your network the Wireshark protocol analyzer is a great tool for taking the next step and digging deeper into the packet data. It’s the best way to see the details of the packets themselves, with full decode of every packet in human readable format. Anyone with a little IT knowledge will quickly gain insights from viewing the decoded packets - the decodes are user friendly and easy to understand.
EndaceProbes include a hosted copy of Wireshark, which means you don’t need to transfer sensitive pcap files around your network and onto your desktop to view packet contents. Instead, you can view Wireshark decodes directly in the EndaceProbe GUI.
Integrating Full Packet Capture into SIEM, SOAR, IDS, NDR, NPM, (and the Alphabet Soup!)
IT, network operations and cybersecurity teams use a suite of tools to keep their systems running safely and efficiently. It’s important for the sanity of these teams that all their tools work seamlessly together - including integrating with packet capture solutions. Learning lots of unique tools and requiring staff to “swivel chair pivot” from one tool to another cause's inefficiency and stress.
Integrations make it easy for team members to get quick access to packet captures from within the tools already in use. The goal is to be able to right click on any issue to view the recorded network packets related to that issue - it should be that easy.
Plugins for SIEM tools, or pre-written playbooks for SOAR tools speed the time to resolution for trouble tickets and security incidents. Packet capture integrations should be ready to install and published on vendor sites like SplunkBase, IBM App Exchange, or on the capture vendors portal themselves. EndaceProbe provides turnkey integrations for multiple third-party tools that have been tried and tested in many environments.
Conclusion
Packet capture is a powerful tool for keeping networks safe, secure and running at their best.
Teams that integrate continuous packet capture into their environments benefit from faster and more precise incident response, and quicker resolution of cyber incidents, performance issues and network outages.
Who is Endace?
Endace specializes in scalable, high-speed, high-performance packet capture. Our solutions are used by some of world’s biggest organizations on some of the fastest networks on the planet.
If you are looking for a packet capture solution, we’d love to show you why Endace is the best choice. Contact us to book a demo or ask a question.