What to look for in full-packet-capture and network forensic tools

Matt Pascucci explains what to look for in full-packet-capture network logging and network forensic tools, and areas to focus on during the search.

I'm trying to do some research on full-packet-capture network logging/network forensic logging products. What current...

trends should I be aware of, and are there any key features or functions I should put at the top of my checklist?

Ask the Expert!

Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)

When researching full-packet-capture products and network forensic tools, there are a few things to keep in mind.

First, your organization might already be collecting some of this information with tools like DLP, IPS, firewalls with deep packet inspection, or SIEMs. These systems filter on the header of the packet and, to an extent, the payload, so you need to determine what your goal is with full packet capture. It's very possible that your network already has some of these capabilities in place. Also, many of these tools have the ability to import the full packet captures into their systems for review.

It's also important to be aware of the necessary steps that must be taken before operating such a system, such as obtaining proper permissions and ensuring key IT systems won't be affected.

When looking to deploy a network forensic or full-packet-capture system, there are a few areas to focus your search on:

  • How does the system monitor and record the data that is being collected? Is this data coming in at line speed, or are there going to be delays with the system performance? When looking for an issue from a security perspective, delays are not an option. Verify that the system is able to handle the amount of data that is being thrown at it comfortably, with room to grow.
  • How quickly can the data that is being collected be displayed? There will be a ton of events coming through, so the amount of time it takes to drill into them and get the information needed is important. Once again, speed is key.
  • Verify that you're easily able to view by protocol, MAC, VLAN, geo-IP, and so on, and that you can filter out what you don't need to see.
  • Ensure it has the ability to perform network behavior analysis (NBA) and block traffic that doesn't meet a certain policy. There are some leaders in the field that use the Snort engine to accomplish this task. If you're using this tool for security purposes, you'll need this ability built in.
  • This is normally a given, but verify that you can download sample packets for inspection using a packet analyzer like Wireshark if needed, or whether you must send them over to the authorities.
  • Verify how the system timestamps the packets. When dealing with an incident, you need to have the original timestamps, or be as close to real time as possible.
  • Will this system be a passive tap or an inline appliance? This isn't security related per se, but it could cause a single point of failure if not done correctly.

Precautions to running full-packet capture

  • Full-packet capture is a great way to determine if an attack happened, but you'll still need to have these logs saved somewhere for compliance or forensic reasons, or simply to refer to later on. That part of the process is often overlooked.
  • Security of the packet capture needs to be tight. Since you're attempting to watch over everything in the network, you need to secure this data as you would the actual data.

Beware of privacy concerns that are popping up regarding full-packet capture. Review the privacy laws within your jurisdiction and what you'll be using the data for -- the laws are different from state to state and country to country -- or simply consult your organization's legal team.

This was last published in March 2013

Dig Deeper on Real-time network monitoring and forensics