Full packet capture is an essential component in any cyber security and incident response deployment. By providing analysts with the ability to retrieve malware as it enters a network, analyze and monitor command and control traffic, and understand the extent of the data exfiltrated in a compromise, full packet capture enables a wide variety of active and post-mortem analysis that few other data sources can provide.
PcapDB is a forward-looking, highly scalable, distributed approach to collecting, managing, searching, and sharing network packet captures. It is driven by the packet capture needs of cyber analysts in a large, geographically distributed organization. As a result, the project has had three primary goals:
1. Provide lossless, line-rate packet capture with search interface speeds superior to commercial competitors.
2. A structure that encourages distributed deployment and system management across a wide variety of organizations.
3. A software foundation that invests in our internal capabilities, while reducing our hardware costs for widespread deployment to trivial amounts.
Cyber incident responders and analysts get what they need:
• Full packet capture (pcap)
• Flow history
• IPv4 and IPv6 support
• Fast searching, less error-prone
• Fast full pcap retrieval
• Fast, easy-to-use web interface search
• Improved search accuracy without BPF
PcapDB is unlike any other open source tool. It is a software solution designed for deployment on commodity hardware and capture cards. PcapDB enables large-scale installations at a significantly lower cost than existing commercial solutions, less than $20K per Capture Node including ~200TB of storage.
PcapDB is an emerging technology for enterprise-wide deployment, with the following key features:
• Centralized PcapDB Search Head
• Directly manages Capture Nodes (status, disks / storage, user access, and interfaces)
• RESTful API for search and retrieval automation
• No per-site tunneling or incoming exceptions needed
o Capture Nodes talk out to Search Head only
• Centrally managed search / retrieval
• End-to-end encryption between nodes
With data stored locally at each site, overall network traffic is reduced. This allows cyber incident responders and analysts to search quickly across the indexed data and not raw pcap, drastically reducing the query time.
• Exceptionally space-efficient PcapDB indexes: < 0.5% the size of captured data, allows for very fast searching
• Captured traffic stored locally at each Capture Node on commodity storage (JBOD enclosures)