Sandstorm Enterprises® : NetIntercept® 4.0 Software Specs
Sandstorm Enterprises®

Sandstorm Home

Press

Products
     NetIntercept
          System Summary
          Screenshots
          Case Studies
          Technical Specs
     PhoneSweep
     Sandtrap
     LANWatch

Sales

Support

Partners

About Sandstorm

Get a Quote
Print View
NetIntercept® 4.0 Software Specs

NetIntercept 4.0 Specifications


NI Application Software             System Software             Download the NetIntercept Datasheet (90KB)
Download the NetIntercept Datasheet (90KB)

NI Application Software

Graphical User Interface

  • Accessible via X Window System Protocol
    • On console/keyboard/mouse
      • Customer-supplied
      • Or available as an option for any NI configuration
    • From any system with an X Window server and SSH support
      • Needs connectivity to the NI machine's "control" network interface
  • Controls Capture/Archive Subsystems
    • Control filtering of captured data
    • Enable or disable capture and archiving
    • Real-time strip chart of traffic
      • 1 second resolution
      • 5 minute resolution
      • 30 minute resolution
      • Two hour resolution
      • One day resolution
    • Instant display of traffic volume in a selected time range
    • Secondary pens show traffic to specific MAC addresses
    • Logarithmic or linear display scale
    • Displays 3000 points in each view for scroll-back capability
    • Strip chart may be saved to file as an image
    • Select captured data
      • for analysis
      • for purge
      • for long-term retention (immortalization)
    • View and search as-captured data using LANWatch® packet viewer
    • Control disk use by captured data and analysis results
    • Describes archived data
    • Configure and manage capture filters
  • Controls Data Analysis Subsystem
    • Controls sessionization-time filtering by
      • MAC address
      • IPv4 or IPv6 address or network number and mask new
      • UDP or TCP with optional port number
    • Set parse control options in session profiles
    • Select and manage session profiles
    • Initiate analysis of data from a particular time period
    • Display progress of data analysis engine during parse
    • Re-analyze existing raw or sessionized traffic
    • Continue viewing results after launching a parse new
  • View and Analyze Parse Results Stored in SQL Databases
    • Display summaries, including hosts and sessions using the most bandwidth and connection characteristics
      • Click through to individual sessions
      • Click through to session lists for individual hosts
    • Select sets of connections for detailed analysis, with multiple selection criteria
      • Specific time period
      • MAC, IPv4 or IPv6 address new
      • Robust connection traffic search options
        • Search forward or backward
        • Search for whole or partial words
        • Perform case sensitive searches
      • TCP or UDP port by name or number
      • Parse module which recognized content, with settable minimum confidence level
      • Username (from remote login or e-mail envelope)
      • E-mail sender, recipients, CC, subject, date
      • File name or web URI string
      • File transfer method
      • Structure conditional queries across mulitple criteria
      • Subject to Netmask and Time Range filters
    • Significant Events tab on Session List shows Email, Web pages and images found in the set of connections
    • Connection View pane below Session List displays selected connection
    • Traffic map on Session List provides a clickable time-domain view of the selected sessions with sophisticated filtering new
    • Drill-down on individual connections
      • Improved connection display includes more summary and DNS information
      • Raw data stream, with or without packet headers
      • Recognition history tree of connection's parse
      • Selection criteria extracted from connection, by group
      • Data objects extracted from stream
      • Email headers extracted from stream
      • Packet view of sessionized stream using integrated LANWatch viewer
      • Right-Click context-sensitive menus on Summary tab items
      • Buttons to move to next or previous connection in Session List
    • View alert conditions detected during parse with drill-down to connection drill-down
      • By class and type of alert
      • Applicable to connections selected by current Netmask
      • Applicable to a particular network host
      • Occuring during a user specified time range
    • Save selection queries
    • Display image data objects found in captured sessions, with session drill-down
      • Images selected according to origin host
      • Images obtained from connections selected by current Netmask
      • Images occurring during a particular time range
      • Extract Event List values to CSV file
      • Save captured images to files in various formats
    • Analysis and rendition of linkage between FTP Control and Data connections
    • Analysis and rendition of linkage between IRC and DCC file transfer
    • Display reconstructed web pages from captured sessions
      • Will not execute or display active content
      • View linkage information extracted from HTML files
      • Components assembled from multiple TCP/HTTP transfer operations
      • Associations tab has context-sensitive menus to access Session List, Connection and Image views
    • Graphical display of client-server interactions between hosts on the monitored network
      • Viewpoint selectable via host name or IP addresses
      • Viewpoint selected by current Netmask
      • Viewpoint sorted according to number of connections, packets or bytes
      • Drill-down to all connections between a pair of hosts for export or further analysis
    • Hierarchical display of LDAP sessions
    • Graphical display of X.509 security certificates
    • Analysis/rendition of linkage between SIP and RTP (VoIP) connections new
    • Host Connectivity map can be saved to file in various image formats
    • Traffic Map tab provides a clickable time-domain view of some or all analyzed sessions with sophisticated filtering and navigation new
    • Audio tab lets you review and play captured audio files on the system console, or export them to a remote machine for playback there. new
    • Manage on-disk archive of results databases
  • Bookmark connections, images and webpages
    • Includes user-supplied notes
    • Saved in results database for future use
    • Bookmark list may be transferred, including file objects and an HTML report linking to them
  • Controls Report Generation Subsystem
    • Create, View and Delete reports in a database-related context
    • Simplified selection of report parameters
    • Simplified use of customized templates
  • Export data via secure file transfer with SCP
    • Captured network traffic, pre- or post-analysis
    • Results database
    • Individual sessions chosen via search criteria
    • Reports
    • Extracted files from web, email or file transfer traffic

Data Capture Subsystem

  • Seamless Data Capture from Monitoring Interface
  • Capture Rate
    • 200 mbits/sec 10-second average in NI-DR3010 and NI-DR1510 configurations
      • Recommended for Rapid Event Analysis at full data capture rate
      • Keyword search all traffic where 24-hour average flow is 40 megabits second or less
    • 120 mbits/sec 10-second average in NI-D810 configuration
      • Recommended for Rapid Event Analysis at full data capture rate
      • Keyword search all traffic where 24-hour average flow is 25 megabits second or less
    • 60 mbits/sec 5-minute average in NI-D410 configuration
      • Recommended for Rapid Event Analysis at full data capture rate
      • Keyword search all traffic where 24-hour average flow is 5 megabits per second or less
  • Traffic Filtering
    • Capture all traffic (default)
    • User-specified filtering
      • Unix "libpcap" compatible
  • Completely Passive - No Transmissions on Monitored Interface
    • When properly configured, undetectable by "sniffer location" techniques
  • Uses Standard "tcpdump" File Format
    • Data captured on other machines may be transferred to NI for analysis
    • Archives and intermediate files generated by NI may be analyzed by non-Sandstorm tools

Data Archive Subsystem

  • Archives Original Traffic Capture Files
    • Fundamental disk-resident lifetime depends on
      • Storage option selected
      • Percentage load on monitored network
      • Can be tuned to suit particular situations
    • Old traffic capture files and other system output can be securely copied
      • To other nodes reachable from the control network interface
      • To read-only CDRW storage media
  • Manages Secure Export of Captured Data Files

Analysis Subsystem

  • Analyzes Traffic Captured by NI, or Imported from Another Capture System
    • Importable file formats include tcpdump, LANWatch, Snoop, Sniffer, NetXRay and NetMon
    • Handles both DIX and 802.3 Ethernet encapsulations
    • Handles traffic using 802.1q VLAN tagging
    • Imports 802.11 traffic captured by Kismet (libpcap Data Link Type 105)
    • Sessionizes ARP, ICMP PPPoE, PPP and IPv6 streams containing ICMPv6, TCP and UDP
    • Sessionized streams stored in container files for faster I/O
    • Export of standard tcpdump format via GUI
  • Parses Data at the Stream/Object Level
    • SSL session decryption/analysis via import of SSL server keys
    • SSH session decryption/analysis via key escrow available with optional server software
    • Recognizes common multimedia formats: AVI, Flash, WAV, TIFF
    • Parses VNC, BGP, Gnutella, YMSG, BZIP2, RADIUS, SMB
    • Parses PostScript, RTF, terminal traffic, lpr, Java, RTSP, WinZip
    • Recognizes common Microsoft file types: Word, PowerPoint, Excel, EXE
      • Search text recovered from Word, Excel, and PowerPoint
    • Parses chat protocols IRC, AOL_IM, Yahoo Messenger, Microsoft Messenger and Jabber (GoogleTalk)
    • Links related TCP connections together for HTTP, FTP, IRC and AOL_IM protocols
    • Basic VoIP detection via parse of SIP, RTP and RTCP protocols
    • Recognizes Unix "remote" commands: rexec, rlogin, and rsh
    • Parser improvements in version 4.0 include:
      • TNEF module recognizes/saves Transport-Neutral Encapsulation Format. new
      • VCF module recognizes and harvests from VCard objects. new
      • PGPFile module recognizes/saves PGP-encrypted files. new
      • Session Description Protocol (SDP) parser links VoIP control and data streams. new
      • Improved recognition of IMAP and NetBIOS Session protocols. new
  • Broad Range of Protocol Parsing Modules
    • Oriented towards "network boundary" traffic
    • Can handle multiple layers of analysis
      • text inside uuencode inside MIME inside email
      • http inside ssl
  • Heuristic Application Data Stream Recognizer
    • Find protocols being used on non-standard ports
    • Find protocols being used inside decrypted streams
  • Extensive Protocol Error and Security Violation Detection Capability
    • Specific Alerts that are irrelevant to a site/mission can be disabled
  • Uses a Private Domain Name Translation Database
    • Basic database generated from monitored net traffic
    • May be supplemented by user-supplied host files
  • All Results Written to SQL Database for Easy Lookup
    • Via graphical user interface
    • Via report generator
    • Via direct SQL access
  • Netmask Management Interface
    • Add, delete and modify netmasks directly from the NetIntercept GUI
    • Improved netmasking capabilities allow you to mask on connection endpoints
      • Source
      • Destination
      • Both, either, or neither
  • Parse Operations Controllable on a Per-module Basis
    • When to save the extracted data object to disk
    • Whether to save the current object or a parent data stream
      • For example text extracted from a Word file vs. the original Word format
    • Search strings for "Known Content" recognition
    • Whether or not to pass extracted data streams to child parsers
  • Advanced Content Search Modules
    • New FindPhrase module is capable of searching for up to 8 phrases
    • Improved FindWord module is capable of simultaneously searching up to 200 strings
    • Search of text content not otherwise recognized by a content parse module

Report Generation Subsystem

  • Generates Reports from User-customizable Templates
    • Templates provided for Text and HTML formats
    • Templates are editable using a variety of different tools
      • Including WSYWIG tools on other systems
    • All reports display IPv6 addresses where found new
    • Reports can be used in the following ways
      • Viewed through the graphical user interface
      • (if hardware option is selected)
      • Saved to read-only CDRW media
      • Transferred elsewhere via "control" network
      • Generated automatically via automated operations
  • Six Overview Reports Available
    1. Observed network configuration (Discovery)
    2. Most active by various different measures (Top N)
    3. Network activity for a named user
    4. Network activity summary for a given IP address or hostname
    5. Network activity detail for a given IP address or hostname
    6. Network activity detail for a given MAC (hardware) address
    7. Parse tree statistics with module relationships (parse-stats)
  • One "Graph" Report Available
    1. Parse graph for the current database
  • Thirteen Database Tabulation Reports Available
    1. Error or alarm conditions
    2. Usernames and associated cleartext passwords
    3. Usernames only
    4. Network bandwidth usage by host
    5. Electronic mail recipients, subjects by sender
    6. Web activity by host and requested URI, grouped by type of activity
    7. Domain Name System lookup history
    8. Domain Name System non-address namespace
    9. Address Resolution Protocol namespace
    10. NetBIOS Nameservice Protocol namespace
    11. Services requested by client system
    12. Connections between machines whose start/end was not captured in the database
    13. Distinct file-like objects captured, including IMT and MD5

Automated Operations

  • Automatically Control NetIntercept
    • Build scripts for unattended NetIntercept operation
      • Select data for analysis, export or long-term retention (immortalization)
      • Sessionize and parse immortalized data
      • Generate reports on results databases
      • Export raw traffic, sessionized traffic, results databases or reports via Secure Copy protocol
      • Delete immortalized data, sessionized data, results databases and reports
    • Schedule one-time or repeated execution of scripts through the GUI
    • Scripts may be configured to wait for busy resources new
    • Initiate scripts on receipt of SNMP traps on the control interface
    • Graphical interface allows import of trap definitions from a MIB
    • Specify NetIntercept response actions

Audit Logging

  • All NI components log important user actions for later audit

System Software

FreeBSD 6.2 Kernel new

  • Minimal Set of Unix Utilities
  • High-security Network Configuration on Interface #0
    • SSH for remote access
    • SCP for file copy
  • Interface #1 Configured and Locked Down for Capture Only

Printer Support

  • USB Port for Printer Provided
    • Standard OS drivers included
    • User configurable

MySQL Database Server

  • SQL Database for Storage and Retrieval of Parse Results
    • ISAM tables for fast, efficient access
  • Configured for High Security
    • No remote access
    • Administrator has full access
    • User has limited access

Setup Process

  • Initial Installation
    • Configure IP address/netmask/gateway for control interface
      • Monitoring interface is silent
    • Configure DNS options
      • Name server accessible via interface #0
    • SNMP support for status monitoring
      • Disabled by default
      • Heartbeat
      • Free disk space
      • Other standard Unix MIB variables
    • Generate initial private-key encryption key on the license management device
    • Enter passwords for NetIntercept user accounts
    • Configure "Monitored" network
      • Distinguish our network from outside networks
      • Identify local subnets by setting up the "netmask" database table
    • Initialize new capture disk
    • Certify installation
  • Initial Default Configuration Is Set Up by Sandstorm
    • Based on information obtained during the sales cycle
  • NI Setup Process Can Be Re-run
    • After the machine has been moved
    • When the local network environment is changed

Request a NetIntercept Whitepaper
Read the NetIntercept Whitepaper 		Request a NetIntercept Demo
Request a NetIntercept Demonstration

Sandstorm's Products
Order / Get a Quote
Contact Us
Back to top
Sandstorm Enterprises develops
tools with sharp edges®
for information security professionals.
Site materials © 1998 - 2008 Sandstorm Enterprises, Inc. The Sandstorm logo®, LANWatch®, NetIntercept®, PhoneSweep®, Sandtrap®, TCP.demux™, Single Call Detect™, Tools with sharp edges®, Rapid Event Analysis™, and Sandstorm Enterprises® are all trademarks or registered trademarks of Sandstorm Enterprises, Inc.