Rapid Retrieval of Relevant Information
Ensuring Zero Packet Loss
Volume 9
the fact that servers , networks and applications only provide a partial and reduced set of evidence .
For example , a log file from a server can show the health of the server and applications running at any given time , but it will not be able to tell exactly what information was exchanged with other servers , networks or applications .
Similar arguments can be made for log files originating from networks and applications . To increase the amount of evidence , we need to shift our focus away from these devices and onto the actual information traversing our networks .
By collecting this type of information , we can reconstruct a complete picture of what occurred by deploying full packet capture capabilities at strategic points across the network infrastructure .
Champions Edition
packet patterns , at the maximum network operating rate .
For instance , when doing packet capture on a fully utilized 10Gbps network link , 1.23Gbyte of new packet data must be written and up to 14.88 million new records must be added to the packet capture database every second .
Rapid Retrieval of Relevant Information
The second critical challenge is finding the relevant information for our forensic investigation in a packet capture database with a size of several hundred TBytes or even PBytes and with billions of individual records . This can best be described as finding the proverbial needle in the haystack . However , it is infeasible to go record by record through the entire packet capture database .
Instead , the packet data must be indexed as it is written to the packet capture database to enable fast searching . ( Introducing the Napatech Compact 200G network accelerator NT200A01 . With this compact solution get full packet capture of network data at 200g with zero packet loss . Courtesy of Napatech and YouTube )
Ensuring Zero Packet Loss
The first critical challenge to address regarding reliable packet capture for forensic evidence is to ensure every single packet is captured .
Imagine discovering during a forensic investigation that you are missing the single piece that could complete the puzzle .
A high-speed , uncompromised packet capture solution is needed to be able to capture every single packet , no matter the packet size and
The most common ways of indexing the packet data is on reception time , addresses , protocol number and port numbers .
Indexing by reception time will enable us to quickly find all packet data captured within a certain timeframe ; indexing by addresses , protocol number and port numbers will enable us to quickly find all packet data exchanged by either one user or between two users .
The various types of indexes can also be combined , allowing us to search fast for all data exchanged between two parties within a given time window .
Indexing packet data on reception time , address , protocol number and port numbers is an efficient way to find packet data for a forensic investigation quickly .
Efficiency can be improved further by associating every packet data origination from a given communication session with a unique session ID
91