Packet Capture in the Cloud…and Beyond!

While network and IT administrators may be familiar with packet capture concepts in the datacenter, many may be unfamiliar with packet capture capabilities and associated toolsets in the cloud space.  Those unfamiliar may wonder how these advanced capabilities can be enabled without the use of traditional network taps, switches or similar technologies which facilitate packet capture in the datacenter space. 

In this blog post, we’ll dive into the finer details surrounding packet capture in the cloud and how maturing your packet capture capabilities can transform your troubleshooting workflows and overall forensic investigation capabilities.

Introduction to Cloud Packet Capture

So, what is packet capture in the cloud?

Packet capture in a traditional sense represents the ability to intercept network packets traversing through a network for the purposes of network inspection, forensic analysis and security use cases.  When referencing cloud packet capture, we’re simply referring to these same packet interception abilities but in the context of cloud networking.  Many may be familiar with the PCAP file format, which is the most common medium for captured network packets. While traditional datacenter deployments of packet capture require dedicated routers, switches or other appliances to deliver performant packet capture, cloud packet solutions primarily rely on a combination of software-based solutions and native CSP capabilities to facilitate the capture and storage of network packets.

Why is cloud packet capture challenging to implement?

The primary reason that cloud packet capture implementations often are time consuming and overly complex is because CSP’s inherently make acquiring network packets in the cloud challenging.  While solutions do exist, such as packet/traffic mirroring or routing modifications, each solution has its own list of caveats and challenges that need to be carefully considered by network administrators to avoid pitfalls in performance, limited visibility and other issues.  In addition to complexity, the solutions which CSP’s do offer can be costly and difficult to scale.

What are the tools which facilitate packet capture in the cloud?

Most cloud packet capture solutions rely on agents or packet mirroring to acquire traffic or require routing to internal services for packet inspection, all of which can introduce significant latency and performance issues that most network teams hope to avoid.  In the case of traffic mirroring, packets may be dropped altogether (!) during periods of network congestion in order to prioritize production-based traffic over the mirrored traffic.  Dropped packets turn into absolute gaps in visibility into your cloud infrastructure and deployment.  To learn more about some of the pros and cons related to traffic & packet mirroring services, watch my recent Webinar on LinkedIn.

How cPacket Networks Delivers Best-In-Class Cloud Packet Capture Capabilities

At cPacket, packet capture across the datacenter, cloud and virtualized space is a core part of our business.  With our cStor-V cloud packet capture offering, we address the challenges and CSP limitations with an elegant solution capable of capturing at speeds up to 10Gbps per cStor-V instance.  Coupled with our cVu-V virtual packet broker appliance, cPacket’s cCloud suite offers the most comprehensive observability and packet capture capabilities in the space today with virtually lossless packet acquisition and capture capabilities.  Below we’ll explore a few key differentiators which set cStor-V apart from other solutions on the market:

  • Start out with a dedicated capture virtual appliance.  Unlike most others, cPacket’s cStor-V is capable of being deployed as a dedicated network virtual appliance (NVA) in your AWS, Google Cloud or Microsoft Azure deployment.  Since cCloud is capable of routing traffic to cStor-V for capture in an out-of-band fashion, cStor-V is capable of maximizing performance and capture throughput.  And since cStor-V operates as a dedicated NVA, this eliminates the need to deploy any performance degrading agent-based solution.
  • Complement or extend native CSP capability.  cStor-V is capable of being utilized alongside traffic mirroring, where the cStor-V virtual appliance is used as the target for the traffic mirroring session.  This provides an easy-to-deploy solution ideal for on-demand or troubleshooting workflows.  cStor-V can also be deployed behind a cVu-V virtual packet broker, where cVu-V acquires packets via CSP routing changes and is capable of replicating (via VXLAN) packet streams to cStor-V and up to 9 other out-of-band tools (i.e. security or performance monitoring toolsets).  In this latter scenario, cStor-V can acquire packets without the possibility of dropped packets from mirroring sessions or performance pitfalls encountered when deploying agent-based solutions.  
  • Capture at wire-like speeds.  cStor-V is capable of capturing at wire-like speeds, at up to 10Gbps per individual virtual appliance.  This enables network administrators to scale out their capture strategy at 10Gbps increments, capable of handling high-speed, high-volume capacities for extensive deployments.  Unlike most other capture solutions, cStor-V is even capable of continuous capture for enterprise-grade use cases where absolute observability is considered priority #1.
  • Elastic Storage for your PCAP files.  Since cCloud appliances are hosted on dedicated virtual machines provided by CSP’s, cStor-V delivers flexible & elastic storage capabilities utilizing easily attachable cloud disk volumes which are managed and scaled in/out using native CSP tooling.  These capabilities shine in use cases where the need for continuous capture capabilities drive high-volume disk requirements within a VM deployment.  The available Open API enables new possibilities for integration with SIEM and other incident management tools. And with Wireshark compatibility out of the box, users gain the ability to quickly query and pinpoint the PCAP data needed for on-demand or after the fact forensic investigations. 
  • Autoscaling? Check.  cStor-V is capable of supporting autoscaling use cases across the major CSP’s.  These autoscaling capabilities ensure even more customer confidence in our cStor-V appliances via robust CSP integrations which enable cStor-V to scale in & out along with dynamic network load during different hours of business operation.  Delivering the elasticity needed for mission-critical capture workloads.
  • Powerful analytics at your fingertips.  In addition to all the impressive features in the packet capture context, cStor-V is also a sophisticated analytics platform capable of delivering powerful network-based analytics which add even more value in use cases where troubleshooting and incident response is valued.  Insightful KPIs such as TCP performance, top-talkers, round trip time, latency characterization, jitter analysis, VOIP quality, and so much more deliver visibility and insights previously unavailable to network and IT administrators.
Example Packet Mirroring scenario with cStor-V

Packet Capture Beyond Cloud

Along with next-generation packet capture features in the cloud, cStor-V is also capable of operating within hypervisor and software-defined platforms to deliver a complete solution across datacenter, cloud and virtual environments.  cStor-V nodes can be deployed in various segments of your software-defined network to acquire north-south and east-west traffic critical to your observability strategy.  Along with boot-time configuration and the ability to deploy within infrastructure-as-code solutions (i.e. Terraform or Azure Bicep), cStor-V can evolve your ability to quickly and easily scale out packet capture across your software-defined footprint.

Start Capturing Packets with cCloud Today

cStor-V and the rest of the cCloud product suite enable new possibilities in your enterprise to acquire, capture, replicate, store, and analyze the packets which contain all the insights and secrets of your cloud infrastructure.  With the ability to reliably and continuously capture packets within a cloud deployment, users can enable new troubleshooting workflows and provide toolsets with the packet-level granularity which observability-focused enterprises require.  Whether it’s for security, compliance, troubleshooting, performance monitoring or the ability to replay critical network traffic using reconstructed packet streams, cStor-V delivers on its reputation as a best-in-class cloud packet capture solution.

cPacket Networks delivers observability for today’s hybrid and multi-cloud networks to de-risk your business against downtime and security attacks.  For more information about how cPacket can advance your observability strategy, contact us today to learn more about our products or to schedule a demo.  Visit us at for more information.