So you bought an Omnipliance to capture let’s say around 10G of traffic. Now you are capturing traffic 24×7, and when there is an issue you can plug in an IP address, or some other filter, and do a forensic search. This decreases MTTR, and life is good. Over time your network got bigger, so you bought more Omnipliances, and used a smart tap to load balanced the traffic across them. Let’s say that at this point you have 10 Omnipliances. This is great, but when it comes to finding the packets, you do not want to do separate forensic search across each one. So how do you search for packets across all of them? This is where distributed forensics comes in. And actually, In Omnipeek this incredibly powerful feature is called “Download Engine Packet Files…”. That is quite a mouthful, and does not do the feature justice, so I prefer to call it Distributed Forensic Search, or DFS for short. And for those of you who are familiar with MSA, the UI and workflow are very similar.

So why is it so powerful? First of all, it allows you to perform a forensics search across any number of Omnipliances from Omnipeek, and view the resulting packets in Omnipeek, without ever leaving Omnipeek. This could be called a single pane of glass.  So you save time, because it does not take any more effort to set up the forensic search for 10 Omnipliances than it would take for one. Secondly, since the forensic searches are happening in parallel across any number of Omnipliances, with more CPU’s and hard drives, the performance is going to better, and the overall forensic search is going to take less time and return sooner. So even if you only have 10G of traffic, it may make sense to spread the load across two Omnipliances at 5G each, so that your distributed forensic search will take less time.

Speaking of less time, I know you are busy, so I think it is time to show the workflow. Below is a walkthrough of the steps necessary to perform a distributed forensics search using the Download Engine Packet Files feature.

Select the feature (from the Tools menu):

 

Set the time range:

 

Specify filters (optional)

Choose engines (separately or by group)

Monitor the progress:

Download the packets (merge is optional):

Merge:

Analyze:

And there you go. So now you can confidently add more Omnipliances, knowing that there is synergy between them to work together to save you time.