When you do a long-term packet capture, the system saves the packets into multiple files. This is necessary because a single file can only be so big and still be manageable. The size of a file is usually configurable, but common file sizes range from 512MB to 4G.
4G files may result in better capture-to-disk performance, because the mechanics of closing one file and opening another happen less often. However, 4G files are not easy to move around, and take longer to open. Some products won’t even open a file that big. This is why Savvius recommends using 512MB files.
But whether the files are bigger or smaller, a continuous capture over a long period of time is going to generate more than one file, and possibly many of them.
This phenomenon can become a challenge for the network engineer who has to look for some particular traffic in a large series of these files. If you know the time range, you could look at the dates of the files; but that would be painful if you had 100, or even 1000, files in the time range. And what if the traffic you are looking for spans multiple files, and is even sprinkled throughout all of the files?
That is the reality, and the challenge. Now for the good news. Savvius products have the workflow to handle both very large files and very many files.
Omnipeek, the Savvius network performance diagnostics software, provides the Compass Workspace, a special type of Capture Window centered around the Compass Dashboard. Compass can analyze a very large file or many files and display the results in a timeline or in statistical views by nodes, flows, and protocols. What Compass Workspace does not do, so it can analyze the packets and display the results faster, is load the packet into a capture buffer or perform the result of the Omnipeek analytics on the packets.
In the Capture window you can select particular nodes, protocols, or flows, or even a time range, and then click “Load Packets. Compass load the packets from the file or files into the capture buffer and performs analytics like Expert, Peermap, Applications, and VoIP. This workflow lets you view the statistics from multiple files at the same time, and puts you in control of what packets get loaded into Omnipeek.
Those who use Capture Engines for Omnipeek, Omnipliances, or Savvius Insight have the amazing power of forensic search technology at their fingertips. With forensic search you do not have to know about or deal with individual files. Just plug your search criteria into the Forensics Search Dialog and let it do all the work.
Forensic search is great for a number of reasons. Like the Compass Workspace, it provides a simple workflow. Since you usually know the IP address you are looking for, you can plug that in and forensic search gets the relevant packets. This results in a faster forensics search than if you enable analysis options. However, you can turn on the analysis you need as well.
Forensics search runs on a separate server, so it does not slow down your local machine. It also runs as a separate thread or task, so you can run multiple forensic searches at the same time, and still do other things with your engines.
Once the packets are loaded, you can then make decisions about whether to perform more analysis of the network traffic on the Engine, or select some packets (directly or through the powerful Select Related feature) and bring them back to the Omnipeek Console to analyze locally.
Finally, Savvius Vigil, our Network Forensics appliance, uses Forensics technology to find the packets related to security alerts generated from major detection systems. Vigil performs the forensics search and the resulting packets are saved locally so you can open them directly in Omnipeek, or in any other analyzers, to perform the security breach investigations.
Read more about the features you’ll need and the ramifications you should consider in our Network Forensics Buyer’s Guide. – Click here to download.
Chris Bloom, Sr. Manager, Technical Alliances