Traditionally, network packet capture appliance ingresses network traffic and record in its storage system for future analysis or inspection. This fundamental traits remains the same until today, however the underlying technology shifted and move forward for larger data bandwidth requirements and 100Gbps links are progressively being develop and deploy.
The fundamental elements here are:
Network packet capture interface (1G/10G/25G/40G/100G)
Secure and reliable storage system
When we use modern laptop or PC for packet capture, often via Wireshark, we are limited to the performance up to the specs of the laptop, i.e. copper interface, SSD / NVMe storage, etc that’s not customized for professional packet capture, one of the prominent disadvantages is that the time-stamping could be highly unreliable as it’s software made. However, when we use a professional packet capture appliance, the network interface are PCIe Gen3 based, with own processor and dedicated memory, sufficiently and optimally holds and processes incoming packets and being timestamped at very real-time (hardware based). The capture interface essentially plays a major role towards the quality and accuracy of captured packets.
It’s always a challenge that when we talk about 100Gbps network, at full line rate, i.e. fixed minimum size packet (64 bytes), it yields about 148.8 billion packets per second, are all these meaningful data? Even at 10Gbps network, it’s 14.88 million packet per second, it is a lot! Therefore there exits built-in hardware modules that do packet pruning such as splitting, slicing, filtering, scheduled capture, and so on. Nevertheless, a reliable network packet capture appliance does its job at its best here, ingesting packets without single packet loss, verified by hardware packet generator, assuring the “pure-ness” of data. Let us know if you are interested here. Since the capture interface is hardware based, we do not need to worry about the operating system resource distributions, interrupts that may cause packet loss, etc and the packet capture task is greatly handled by the hardware.
A recent development by ComWorth’s SwiftWing Sirius NDR packet capture appliance is that we are able to handle multi-rate capturing system, part of product line-up for inducing dynamicity to the capture interface. It may auto detect 1G and 10G (Fiber / Copper) form factors, allowing convenience and backward compatibility.
Another element of packet capture appliance is the storage system, it must be:
highly optimized,
reliable,
recoverable,
scalable (in terms of bandwidth),
expandable (in terms of size), and
FIFO customized.
Have a look at the following capture storage consumption table:
Given an appliance has a fixed storage space, long term capture will susceptible to full storage limitation after some duration. Therefore, the storage design must handle FIFO where latest captured packets up to certain (agreed) period must always be available.
Since we capture all network traffic, the huge amount of captured files can be challenging to manage. The packet indexing function of Sirius NDR enhances the need of drilling down search area, offering VLAN, IP, port, protocol, time range filtering. Indexing allows fast searching of packets because of its minimized file size, then being used to extract the exact packet from equivalent PCAP repository. The extracted PCAP file can be then analyzed without having feared that some packets are loss, yielding good confidence in analysis.
A good bonus takeaway function by Sirius NDR is that it comes with multi-channel capturing, meaning each physical capture interface port can be mapped to a specific channel. The channel is managed separately, and the PCAP created for each channel is not mixed with other. In this way, Sirius NDR becomes your best PCAP repository, only with organized PCAP, your journey to the world of packet analysis become even more meaningful.
Author - Cheehow WEE - Has been a a Software Engineer for ComWorth Solutions Pte Ltd since 2013. He graduated from Nanyang Technological University as a computer engineer.
ComWorth, founder in 1965, is a provider of network test and measurement equipment for telephony, data networking, network hubs, switches and media connectivity products. For more than 15 years, ComWorth has focused on manufacturering high performance, customizable packet capture & storage appliances, integrating these solutions into enterprise networks allowing for total network visibility and monitoring. Giving the best service to clients is always our objective, therefore “Beyond your expectation” slogan is attached to ComWorth logo. Having offices in Tokyo, Singapore and Germany, ComWorth also the distributor and reseller of more than 20 industry-renowned brands.
Learn more at www.comworth.com.sg