19 Feb 2013

How to create a Full Packet Capture

0 comments Permalink Tuesday, February 19, 2013

This article was written by Tyson Garrett, COO of Packetloop in our Support Forums. I thought it was to good to just live in support, so here it is.


Once you’ve decided that you’d like to start doing full packet capture, your may well ask how? There are two basic steps in performing full packet captures.
  1. Take a copy of the Network Data
  2. Storing the data as a Full Packet Capture
If you know how to perform these two steps, then we expect to see you uploading shortly! If you don't then read on.

Taking a copy of the Network Data

Well depending on your environment you are going to have a few options:
  1. Use a port mirror (aka span port) configuration on your Internet switch
  2. Do a traffic export from your router (not recommended)
  3. Use a dedicated tapping device
If you want to get started right now, the easiest option with least potential impact will be the port mirror on your Internet switch located between your Internet router and your firewall (you do have a firewall don’t you?). Most modern switches can be configured to send a copy of the traffic traversing this link and send it to another port to which you can connect your capture device (covered in another blog post link here). At Packetloop the terminology we use for this setup is a port mirror. However some switch vendors may instead refer to this as a span port, network monitor, interface monitor or port monitor.
The configuration for setting up each of the switches will be slightly different based on the hardware and software version and specific Vendor. If we haven’t listed your exact model or switch below try checking either the vendors support site or the this page: http://wiki.wireshark.org/SwitchReference

Cisco Switch Port Mirror guides:

Juniper Switches Port Mirror guides:

Note that depending on your environment, when your switch is under heavy load the priority of the port mirror process may be lower than traffic forwarding priority, this may mean the switch will not mirror all the traffic to your capture device from time to time.
In situations where this is an issue for your network, or for where you would like a more dedicated solution we recommend a network tap.

Network Taps

Network taps are purpose built devices that will mirror all traffic passing between two devices such as your firewall and internet router. This is achieved by the connecting your internet router into the first port of the network tap and your firewall into the second port. The third port of the network tap is where you then attach your capture device. Most network taps operate in a failsafe method whereby if the network tap loses power it will stop mirroring the traffic to your capture device but will still pass the traffic between your firewall and internet router. 
Other models of network taps allow your to scale this out to allow you to perform this across multiple segments. eg. You have 10x100Mb connections that are mirrored to 1x1Gb capture device.
Some vendors that sell these network taps are listed below. Note that we are not endorsing any of these products. If you have used alternative taps with success please let us know and we will add it to the list.

Netoptics: http://www.netoptics.com/products/network-taps

Network Critical: http://www.networkcritical.com/

Gigamon: http://www.gigamon.com/g-tap-a-series-always-on-network-taps

Storing the Data as a Full Packet Capture

Now that you've configured your network to send a copy of your traffic down a port, the next decision you need to make is what do I use to actually capture this traffic. As per the port mirror options there are multiple solutions to performing this within your environment such as:
  1. Use an existing computer (laptop/desktop/server);
  2. Use a dedicated capture appliance.
If you want to start capturing right now, using an existing piece of equipment is most likely going to be your only option. Whilst the dedicated capture appliance is most likely the more robust method, it will incur additional cost and unless you have one lying about you won't be able to start capturing date until you receive and configure it.
 To get going with the first option you can use a device running Windows, UNIX or Mac OS X. If you are using UNIX or OS X you will just need the tcpdump application. If you are running Windows we recommend you get Wireshark and as part of the Wireshark installation, install WinPCAP.
Now before you start running these applications you need to determine the following:

How am I going to ensure the timestamps in my capture files are accurate?

As your capture device is going to have at least one interface dedicated to capturing traffic, you are going to need a management interface on the device to allow you to sync with either an internal or external time source. To assist with correlation it's best if you use the same time source that your internal systems use.

Where am I going to save the data to?

Depending on the network you are capturing traffic from your daily captures may be anywhere from less then 1Gb per day to more than 1Tb per day. Coupled with the rollover question discussed below you'll need to determine how you can ensure you don't run out of disk space on the local device. Options such as moving the data to a external USB device or a network share as a scheduled task/cron job will ensure you can capture local and then store remote. Once you've captured the data don't panic about the size of the files, you will be able to compress them for archival purposes. Depending on the exact traffic mix you should expect the compresses file size to be b/w 20%-30% of the original size. We recommend using and 7zip for Windows or lama for Linux (on CentOS / Fedora / RHEL / Redhat Linux known as xz)

How often do I want to rollover to a new capture file?

To make your capture files easy to move around we recommend you roll them over once they hit 1Gb of traffic. This also allows us to process them in parallel, getting you results back much faster.
To do do this with tcpdump it's fairly easy using the -C parameter. Where the number after the -C is in millions of bytes. For example to run a tcpdump on eth1, saving the full packet size, a capture filename of Internet-Monitor (in the /var/captures directory) preceded by the date and time and a rollover of once every 1Gb the command would be:
sudo nohup tcpdump -i eth1 -s 65535 -w /var/captures/`date +"%Y%m%d-%T"`-Internet-Monitor.pcap -C 100 &
This will create a series of files as follows:
and so on.
We have run this with nohup to avoid the scenario where you've initiated the capture via a remote logon and want to ensure the capture continues after you logoff or get disconnected. To terminate the capture you'll need to manually kill the process via running:
pkill -9 tcpdump
Alternatively if you wanted to roll the file over every 1 hour or every 1Gb (whichever comes first) we would run the following command:
sudo nohup tcpdump -i eth1 -s 65535 -w /var/captures/%Y-%m-%d-%H:%M:%S-Internet-Monitor.pcap -C 100 -G 3600 &
This will create a series of files as follows:
20130208-21:08:53-Internet-Monitor.pcap1 <- Hourly file went over 1Gb, so tcpdump rolled to a new file
and so on.
As mentioned previously, Windows based systems will require Wireshark with WinPcap. Whilst Wireshark has a user interface to keep things simple we are going to stick with the dumpcap command that is much like tcpdump. It will most likely not be in your path so you'll need to cd into the directory you installed Wireshark into. Due to the way Windows works with network interface names you'll most likely need to run dumpcap with the -D option to determine which interface you wish to capture on.
C:\Program Files\Wireshark>dumpcap -D
1. \Device\NPF_{1EDF5C06-F6BD-41C7-9D91-9257429754E4} (E1G607 Intel(R) PRO/1000 MT Network Connection)
2. \Device\NPF_{08A648A7-21E2-4C45-A54A-E7BEFC3943AD} (E1G6015 Intel(R) PRO/1000 MT Network Connection)
3. \Device\NPF_{883330D9-0FA9-42FA-A74B-19A40D8C74CC} (E1G6016 Intel(R) PRO/1000 MT Network Connection)
If you still aren't sure which interface is which run Wireshark and examine the interface details there (it gives the IP address and some other additional information) the names match up with what is supplied by dumpcap. Presuming device number 3 (3. \Device\NPF_{883330D9-0FA9-42FA-A74B-19A40D8C74CC} (E1G6016 Intel(R) PRO/1000 MT Network Connection)) from the above list is the interface we want to capture on we can just use the -i 3 value. So to rollover capture files with dumpcap once you get over 1Gb we'd run the following command:
dumpcap -P -i 3 -b filesize:1048576 -w c:\captures\Internet-Monitor.pcap
Alternatively if you wanted to roll the file over every 1 hour or every 1Gb (whichever comes first) we would run the following command:
dumpcap -P -i 3 -b filesize:1048576 -b duration:3600 -w c:\captures\Internet-Monitor.pcap

No comments:

Post a Comment