Incident Response, Threat Management, NDR, Network Security, Security Operations, SIEM, Threat Hunting

Packet Collection and Analysis at Scale

There are numerous security use cases where the integration of network packet data provides additional contextual information for better actionability.  Free and open source packet capture tools do a great job capturing packets, but how do you collect, aggregate, and analyze that data at scale?

Let’s start with a quick review of packet capture tools, commonly known as packet sniffers, such as Wireshark or stenographer.  These tools intercept traffic data from wired or wireless networks and copy it to a file, a pcap.  Interception is done primarily through a network tap that mirrors the traffic to the packet sniffer.  Collected packets can be encrypted and compressed for later analysis, typically offline.  They support hundreds of protocols across multiple platforms to improve network capacity and bandwidth, increase network efficiency, ensure delivery of services, and enhance security.  We’ll focus on the “enhance security” benefits of these tools.

Now I don’t know about you, but it’s been a long time (over 15 year) since I’ve had to review a pcap file.  The free and open source tools have filters and other basic analysis tools to help read these files, but security use cases need to integrate these packets and correlate them with other data, including logs.  This requires an export, normalization, and aggregation into another security tool for analysis, typically a security incident and event management (SIEM) solution, but how do you do this at scale?

This is where Gravwell’s solution shines.  Gravwell enables threat hunters and network analysts to correlate and search logs and packets for root-cause analysis without worrying about how much data they can ingest and keep and without spending time massaging data.  Gravwell’s new Packet Fleet ingester solves the challenges of collecting packet data on-demand such that it can be analyzed at scale.  Packet Fleet extends the benefits you’ve come love from Gravwell, including:

  • Unlimited Ingestion & Retention
  • Binary & Agnostic Data Support
  • Scalable & Distributed Solution

To learn more about Gravwell Packet Fleet, watch the interview on Paul’s Security Weekly here or visit securityweekly.com/gravwell for more information.

Matt Alderman

Chief Product Officer at CyberSaint, start-up advisor, and wizard of entrepreneurship.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.