There are numerous security use cases where the integration of network packet data provides additional contextual information for better actionability. Free and open source packet capture tools do a great job capturing packets, but how do you collect, aggregate, and analyze that data at scale?
Let’s start with a quick review of packet capture tools, commonly known as packet sniffers, such as Wireshark or stenographer. These tools intercept traffic data from wired or wireless networks and copy it to a file, a pcap. Interception is done primarily through a network tap that mirrors the traffic to the packet sniffer. Collected packets can be encrypted and compressed for later analysis, typically offline. They support hundreds of protocols across multiple platforms to improve network capacity and bandwidth, increase network efficiency, ensure delivery of services, and enhance security. We’ll focus on the “enhance security” benefits of these tools.
Now I don’t know about you, but it’s been a long time (over 15 year) since I’ve had to review a pcap file. The free and open source tools have filters and other basic analysis tools to help read these files, but security use cases need to integrate these packets and correlate them with other data, including logs. This requires an export, normalization, and aggregation into another security tool for analysis, typically a security incident and event management (SIEM) solution, but how do you do this at scale?
This is where Gravwell’s solution shines. Gravwell enables threat hunters and network analysts to correlate and search logs and packets for root-cause analysis without worrying about how much data they can ingest and keep and without spending time massaging data. Gravwell’s new Packet Fleet ingester solves the challenges of collecting packet data on-demand such that it can be analyzed at scale. Packet Fleet extends the benefits you’ve come love from Gravwell, including:
- Unlimited Ingestion & Retention
- Binary & Agnostic Data Support
- Scalable & Distributed Solution