The user selects a time interval of interest, and the system protects that data from being overwritten by new data.
The packets from that time interval are sorted into separate connections between machines and saved to disk.
Each distinct connection is passed through the NetIntercept analysis and protocol recognition engine, which attempts to recognize protocols and content using a series of parse modules.
The parse results and analysis conclusions are stored in a database.
NetIntercept 4.0 captures LAN traffic using a standard Ethernet
interface card placed in promiscuous mode and a modified UNIX
kernel. The capture subsystem runs continuously, whether or not the
GUI is active. Tests by Sandstorm have demonstrated a 99.9% capture
rate on a fully-loaded 100Base-T network, and 99.99% capture rate on a
lightly-loaded network.
Long-term archival storage of captured data in NetIntercept is
accomplished by storing the raw dump files. Depending on the
hardware
options selected, the archived dump file can be written directly to a
removable media device attached to the NI machine, or transferred over
the network to other machines for archiving. Because the file format
is compatible with the Unix tcpdump utility, data captured by
NetIntercept can be transferred to other computers and analyzed with
other tools if desired.
Reconstruction and Analysis of Network Sessions
NetIntercept performs stream reconstruction on demand. When the user
selects a range of captured network traffic to analyze, NetIntercept
assembles those packets into network connection data streams.
The reconstructed streams are then presented to the NetIntercept
analysis subsystem for identification and analysis. The protocol
recognition system is fully modular, making the
parsing of data streams clean and easily extensible. The modules are
arranged in a hierarchical tree. Each module specializes in a
particular protocol, and may pass portions of the data stream to child
modules for lower-level analysis. Modules that extract data useful as
search criteria or for statistical purposes store that information in
an SQL database. In general, the recognition and parsing process
progresses from the root of the parse tree towards its branches, but
there are a number of cases where Transfer-Encoding, compression or
encryption require returning a data stream to an ancestor node,
generating a cycle in the graph.
To improve efficiency, NetIntercept uses memory-mapping techniques to
avoid copying the session data unnecessarily.
Once TCP streams are reconstructed and parsed, some of the objects
that they contain need to be stored for long periods of time. Examples
of such objects are web pages, files transferred by FTP, and e-mail
attachments. The signature for each object is calculated using the MD5
digest algorithm and this information, as well as a pointer to the
object, is stored in the NetIntercept SQL database. The objects
themselves are stored on disk.
NetIntercept saves disk space by never storing a duplicate of an
object which is found more than once in the captured network
traffic. Instead, it stores the object once, with pointers to the
object from the various network connections that referenced it.
Both the duplicated objects and sets of connections that reference
them are easy to identify.
Data Discovery and Viewing Analysis Results
NI's Graphical User Interface can be accessed either through the NI
system's console, or securely via an X Window session tunneled
through SSH to the NI system's control network interface. Besides
controlling data capture and analysis, the GUI offers sophisticated
search criteria. A user can find one or many network connections
according to:
Time of day
Source or destination hardware or Internet address
Source or destination TCP or UDP port name or number
Username associated with the connection
Electronic mail sender, recipient(s) or subject header
File name or World Wide Web URI associated with the transfer
Specific protocols or content types recognized in the connection's contents
Once a connection has been identified, you can drill down to view the
search criteria extracted from it, the tree of parse results (and any
files extracted), or the raw data with or without the packet headers.
The GUI allows several connection drill-downs to be open
simultaneously, in order to compare results or to view a complex
multi-connection transaction.
Sandstorm Home
Products
NetIntercept
