NPulse Technologies announced a new version of its packet capture platform that can fully index 30 million packets per second to disk, enabling rapid retrieval of network sessions from a fully saturated 10 Gbps link during analysis of security incidents.
Full indexing of 10g packet capture essential to real-time security response
"Our expectation of security monitoring and performance monitoring is moving from historical mode to proactive, real-time," said Jim Frey, vice president at Enterprise Management Associates. "That's why you need these performance optimizations. In security, when you're talking about the mitigation of threats and analysis, you want to know what's going on right now -- not necessarily what happened the week before."
NPulse's CPX appliances have been able to perform full packet capture on 10 Gbps links since 2009, but indexing those packets remained a challenge until now. The company's products would index only the first packet of a session or flow and rely on the probability that the other packets in that session would be stored close to the first one.
"But everything is not linear when you are striping disks," said Tim Sullivan, nPulse's CEO.
More on the packet capture industry
A review of leading deep packet inspection vendors
Combining NetFlow with packet analysis can boost visibility
Do you need full-stream reassembly in network monitoring?
With CPX 4.0, nPulse has added patented software that allows the technology to index every packet, helping an engineer to retrieve and rebuild a session for forensic analysis of a security incident easily and quickly.
At high data rates like 10 Gbps, writing all packets to disk is only the first challenge, Frey said. Retrieving those packets and recreating sessions is just as difficult. "Finding the right data requires fast access if you want to get an answer to your problem in the next 15 minutes."
The amount of packets a CPX appliance captures and writes to disk -- typically on a NetApp storage array -- grows quickly for some organizations.
"[A CPX connected to] a single 10-gig link that is fully saturated will collect 200 terabytes per day. We're seeing customers looking for 30-plus days of packet capture. Now we're talking about petabytes of data," Sullivan said.
NPulse adds session analysis to front end of 10g packet capture appliance
NPulse also added a session analysis application to the front end of the CPX platform. In the past, nPulse relied on third-party software and open source software such as Wireshark to provide analysis of packet captures.
"We provided a Wireshark view of the world [in previous software versions], which gets you some information. But it's a packet-level view," Sullivan said. "The world looks very different when you look at things one packet at a time than it does when you put all the packets together and start to analyze: What protocol was this session? What did the payload look like? Was there a file in there? Can I extract that file and throw it into a sandbox?"
Many packet capture vendors have been adding their own front-end analysis in recent years in order to retain customers, Frey said.
"It's one thing to capture all the data and be able to retrieve it, but the more they add direct analysis capabilities -- even if it's not deep -- it makes their products stickier and more valuable. It prevents them from being usurped by someone else who can do that data analysis."