19 Feb 2013

How to create a Full Packet Capture

0 comments Permalink Tuesday, February 19, 2013

This article was written by Tyson Garrett, COO of Packetloop in our Support Forums. I thought it was to good to just live in support, so here it is.

Overview

Once you’ve decided that you’d like to start doing full packet capture, your may well ask how? There are two basic steps in performing full packet captures.
  1. Take a copy of the Network Data
  2. Storing the data as a Full Packet Capture
If you know how to perform these two steps, then we expect to see you uploading shortly! If you don't then read on.

Taking a copy of the Network Data

Well depending on your environment you are going to have a few options:
  1. Use a port mirror (aka span port) configuration on your Internet switch
  2. Do a traffic export from your router (not recommended)
  3. Use a dedicated tapping device
If you want to get started right now, the easiest option with least potential impact will be the port mirror on your Internet switch located between your Internet router and your firewall (you do have a firewall don’t you?). Most modern switches can be configured to send a copy of the traffic traversing this link and send it to another port to which you can connect your capture device (covered in another blog post link here). At Packetloop the terminology we use for this setup is a port mirror. However some switch vendors may instead refer to this as a span port, network monitor, interface monitor or port monitor.
The configuration for setting up each of the switches will be slightly different based on the hardware and software version and specific Vendor. If we haven’t listed your exact model or switch below try checking either the vendors support site or the this page: http://wiki.wireshark.org/SwitchReference

Cisco Switch Port Mirror guides:

Juniper Switches Port Mirror guides:

Note that depending on your environment, when your switch is under heavy load the priority of the port mirror process may be lower than traffic forwarding priority, this may mean the switch will not mirror all the traffic to your capture device from time to time.
In situations where this is an issue for your network, or for where you would like a more dedicated solution we recommend a network tap.

Network Taps

Network taps are purpose built devices that will mirror all traffic passing between two devices such as your firewall and internet router. This is achieved by the connecting your internet router into the first port of the network tap and your firewall into the second port. The third port of the network tap is where you then attach your capture device. Most network taps operate in a failsafe method whereby if the network tap loses power it will stop mirroring the traffic to your capture device but will still pass the traffic between your firewall and internet router. 
Other models of network taps allow your to scale this out to allow you to perform this across multiple segments. eg. You have 10x100Mb connections that are mirrored to 1x1Gb capture device.
Some vendors that sell these network taps are listed below. Note that we are not endorsing any of these products. If you have used alternative taps with success please let us know and we will add it to the list.

Netoptics: http://www.netoptics.com/products/network-taps

Network Critical: http://www.networkcritical.com/

Gigamon: http://www.gigamon.com/g-tap-a-series-always-on-network-taps

Storing the Data as a Full Packet Capture

Now that you've configured your network to send a copy of your traffic down a port, the next decision you need to make is what do I use to actually capture this traffic. As per the port mirror options there are multiple solutions to performing this within your environment such as:
  1. Use an existing computer (laptop/desktop/server);
  2. Use a dedicated capture appliance.
If you want to start capturing right now, using an existing piece of equipment is most likely going to be your only option. Whilst the dedicated capture appliance is most likely the more robust method, it will incur additional cost and unless you have one lying about you won't be able to start capturing date until you receive and configure it.
 To get going with the first option you can use a device running Windows, UNIX or Mac OS X. If you are using UNIX or OS X you will just need the tcpdump application. If you are running Windows we recommend you get Wireshark and as part of the Wireshark installation, install WinPCAP.
Now before you start running these applications you need to determine the following:

How am I going to ensure the timestamps in my capture files are accurate?

As your capture device is going to have at least one interface dedicated to capturing traffic, you are going to need a management interface on the device to allow you to sync with either an internal or external time source. To assist with correlation it's best if you use the same time source that your internal systems use.

Where am I going to save the data to?

Depending on the network you are capturing traffic from your daily captures may be anywhere from less then 1Gb per day to more than 1Tb per day. Coupled with the rollover question discussed below you'll need to determine how you can ensure you don't run out of disk space on the local device. Options such as moving the data to a external USB device or a network share as a scheduled task/cron job will ensure you can capture local and then store remote. Once you've captured the data don't panic about the size of the files, you will be able to compress them for archival purposes. Depending on the exact traffic mix you should expect the compresses file size to be b/w 20%-30% of the original size. We recommend using and 7zip for Windows or lama for Linux (on CentOS / Fedora / RHEL / Redhat Linux known as xz)

How often do I want to rollover to a new capture file?

To make your capture files easy to move around we recommend you roll them over once they hit 1Gb of traffic. This also allows us to process them in parallel, getting you results back much faster.
To do do this with tcpdump it's fairly easy using the -C parameter. Where the number after the -C is in millions of bytes. For example to run a tcpdump on eth1, saving the full packet size, a capture filename of Internet-Monitor (in the /var/captures directory) preceded by the date and time and a rollover of once every 1Gb the command would be:
sudo nohup tcpdump -i eth1 -s 65535 -w /var/captures/`date +"%Y%m%d-%T"`-Internet-Monitor.pcap -C 100 &
This will create a series of files as follows:
20130208-19:50:02-Internet-Monitor.pcap
20130208-21:08:53-Internet-Monitor.pcap1
20130208-21:47:39-Internet-Monitor.pcap2
and so on.
We have run this with nohup to avoid the scenario where you've initiated the capture via a remote logon and want to ensure the capture continues after you logoff or get disconnected. To terminate the capture you'll need to manually kill the process via running:
pkill -9 tcpdump
Alternatively if you wanted to roll the file over every 1 hour or every 1Gb (whichever comes first) we would run the following command:
sudo nohup tcpdump -i eth1 -s 65535 -w /var/captures/%Y-%m-%d-%H:%M:%S-Internet-Monitor.pcap -C 100 -G 3600 &
This will create a series of files as follows:
20130208-20:08:53-Internet-Monitor.pcap
20130208-21:08:53-Internet-Monitor.pcap
20130208-21:08:53-Internet-Monitor.pcap1 <- Hourly file went over 1Gb, so tcpdump rolled to a new file
20130208-22:08:53-Internet-Monitor.pcap
and so on.
As mentioned previously, Windows based systems will require Wireshark with WinPcap. Whilst Wireshark has a user interface to keep things simple we are going to stick with the dumpcap command that is much like tcpdump. It will most likely not be in your path so you'll need to cd into the directory you installed Wireshark into. Due to the way Windows works with network interface names you'll most likely need to run dumpcap with the -D option to determine which interface you wish to capture on.
C:\Program Files\Wireshark>dumpcap -D
1. \Device\NPF_{1EDF5C06-F6BD-41C7-9D91-9257429754E4} (E1G607 Intel(R) PRO/1000 MT Network Connection)
2. \Device\NPF_{08A648A7-21E2-4C45-A54A-E7BEFC3943AD} (E1G6015 Intel(R) PRO/1000 MT Network Connection)
3. \Device\NPF_{883330D9-0FA9-42FA-A74B-19A40D8C74CC} (E1G6016 Intel(R) PRO/1000 MT Network Connection)
If you still aren't sure which interface is which run Wireshark and examine the interface details there (it gives the IP address and some other additional information) the names match up with what is supplied by dumpcap. Presuming device number 3 (3. \Device\NPF_{883330D9-0FA9-42FA-A74B-19A40D8C74CC} (E1G6016 Intel(R) PRO/1000 MT Network Connection)) from the above list is the interface we want to capture on we can just use the -i 3 value. So to rollover capture files with dumpcap once you get over 1Gb we'd run the following command:
dumpcap -P -i 3 -b filesize:1048576 -w c:\captures\Internet-Monitor.pcap
Alternatively if you wanted to roll the file over every 1 hour or every 1Gb (whichever comes first) we would run the following command:
dumpcap -P -i 3 -b filesize:1048576 -b duration:3600 -w c:\captures\Internet-Monitor.pcap
13 Feb 2013

Packetloop Commercial Release - you can upload!

0 comments Permalink Wednesday, February 13, 2013

Today we are super excited to announce the commercial release of Packetloop! This means you can now upload and analyze your own packet captures, finally unlocking the power of Big Data Security Analytics in the Cloud. 

We had an incredible response to our Beta program and the feedback has proved invaluable in finalising the product you can use today. We kept a few cool things back from the Beta especially for the commercial release, including a beautiful new User Interface (not that we didn't like the old one!).



You will now be able to store months or years of data in Packetloop, and constantly re-evaluate it using the most up to date threat intelligence available. Most importantly if you do uncover a previously undetected attack in your data, Packetloop gives you the ability to rewind the data and fully understand exactly what the attacker has done since they first attacked your network.

Best of all there is nothing to install. You simply grab packet captures from points around your network where you need a better understanding of the threat activity, and upload it to Packetloop for processing. No large capital outlay, no talking to sales people, no complex integration. Signup to explore and understand the threats in your network.

Over the past 18 months, we have solved a lot of complex issues on how to store and search the data, and the end result is the ability to seamlessly zoom in from a view of years of data to a view with just a few minutes of data. The ability to present the data from different perspectives such as the source, the destination or even the attack itself, and then filter it rapidly to isolate a single attacker or attack from billions of packets.  These are the features that allow Packetloop to provide you with clear intelligence about your network.



Because Packetloop is delivered in the Cloud, we will be able to deliver new and exciting features and updates to you constantly. We have an exciting roadmap of new features and modules to share with you in the near future, and these will only serve to extract more value and intelligence from the data you have already uploaded to Packetloop.

I could carry on here for hours about features and benefits, but we are keen for Packetloop to speak for itself. We need to thank a lot of people for all the support and encouragement we have received from within the information security community globally, so thank you! Finally I would like to acknowledge the herculean efforts of the Packetloop team in creating and delivering such a wonderful product.

We hope you enjoy using Packetloop and we look forward to working closely with you to better understand the security of your network.

What's New in Packetloop 1.0.1!

0 comments Permalink Wednesday, February 13, 2013
This release is very special to us as it's our commercial release. For us it's the end of a tough yet enjoyable development process. We shipped, soooo happy!

It is important to note that the platform is sparkling new and you will need to sign up for a Free or Paid Account before accessing over 50GB of public datasets or uploading your own packet captures. Any Early Access or Beta accounts have been retired.

In this release we shipped the following features;
  • Redesigned User Interface and Experience
  • Customers can upload data via Web Upload and Send a Disk (up to 16TB!)
  • Live processing for smaller uploads.
  • The ability to delete packet captures after they are processed.

User Interface and Experience

Our first commercial version had to pop! We have gone through three user interface designs whilst in development - it's important to us and we hope you like the design. 

Packetloop "Metro" User Interface - more analytics, less wood panels.

The old user interface was starting to resembled a wood panelled station wagon and we wanted a clean analytics product look. So out went the bezels, the gradients and panels and in came a clean design that we call "metro" internally. It wasn't inspired at all by Microsoft or Windows 8 though ;)

We opened up a lot of space in the header, removing space taken up by features that are yet to ship and placing all functions in a pivot on the left hand side.

Feature Pivot
To provide even more space when you are working in the main visualization or the data panels when you scroll down the menu minimizes to give you more space to operate. It's a subtle and smart transition allowing data panels to be viewed while still rendering the entire main visualization.

Header minimised - more data panel with main visualization.

In the main visualization area we added a Zoom to Fit icon and what we call a Follow Annotation. Zoom to Fit used to be in the time period select box but you end up using it so much it deserved it's own button. Also the Follow Annotation tracks with your mouse pointer providing a clear understanding of key threat metrics. It's designed to be unobtrusive - not taking away from the main visualization but complementing it.

Zoom to Fit and Follow Annotation

Quick Search and Advanced Search are now accessible via icons in the navigation menu. Inspired by vim you can also use hot keys to access them (try forward slash for quick search). 

Quick Search

Just press forward slash and then describe what you are looking for, and make a selection with your mouse or simply press enter.

Advanced Search allows you to type in things you are looking for or click through a linked list. Think of it like a network graph - if you click on a node like Source IP address then all other criteria is filtered based on that node. This allows you to search and filter event data incredibly fast.

Advanced Search

The legend options and guides are now accessible by selection the plus (+) icon in the Legend area. Guides are a great way to augment your analysis and bring outliers to the surface much faster. In the example below I have enabled the guide for "Looped Attacks".

Legend Options

The "Looped Attacks" guide.

Lastly Packetloop is now supported in more browsers - Internet Explorer 9 and 10, Firefox, Safari and Chrome.

Web Upload and Send a Disk

In this release we enabled the ability to upload full packet captures via Web Upload and Send a Disk methods. For Web Upload click on the "Upload Files" button in the top right, choose or create a Capture Point and then Upload.


Web Upload - Drag and Drop or Click to Select.

Send a Disk upload allows you to capture a massive amount of full packet captures and ship us the disk. You can encrypt the captures with a passphrase and supply the passphrase to us when we process them. We are initially trialling this with US customers and shipping is free. In the next release we will enable it for all customers. We support USB, eSATA or 2.5/3.5 inch disks up to 16TB in size. If you encrypt and compress these archives that is around 32TB of full packet captures! Note that Send a Disk functionality is handled via raising a ticket with support.packetloop.com but will become fully automated in the next release.

All upload methods support gzip, xzip (lzma), and bzip2 compression and also tar archives. So if you want to tar up an entire directory, compress it and upload via Web Upload or Send a Disk you can.

Live Processing

We are designed and built for Big Data but we haven't forgotten the little guy. We envisage that a lot of customers will upload relatively small captures to test the service before they commit large amounts of data. We will process small captures live and not even engage the Big Data back end processing making it as fast to process 100Mb as it is to process 1TB.

Packet Capture Deletion

In this release customers are able to delete packet captures after we process them. The decision is totally up to you and will be integrated into all upload methods. Once the packet captures are processed they are only required for looping (searching for zero days) and to make new features instantly accessible when we ship them. All the data extracted from the packet capture is inserted into our NoSQL database to be supplied to the user interface.

After the packet captures have been processed customers can click on Settings -> Usage and then delete the original packet capture or the data extracted from the packet capture.

Thanks again!

To all the people that helped us during Early Access and Private Beta. Your interest, passion, excitement and suggestions have been invaluable to us. We are at the end of the line if you want to reach out to us on Twitter, Google+, Facebook or Support.