Snapshot and Triggered Intercept: Grabbing Packets at the Wire

For those who struggle with the process of effectively monitoring and troubleshooting your network, you’re not alone. The process of obtaining access to packets can be a grueling task. Oftentimes, we consider cutting corners by turning to other, less reliable methods especially when all we need is a few packets out of a stream of packets and/or simply getting the right packets based on some pre-defined criteria.

There are many different network tools on the market that offer different features, but there are two specific tools that can address the challenge of accessing packets quickly and efficiently: the snapshot feature and triggered intercept. cPacket’s cVu devices are equipped with both of these tools to simplify and solve these and other issues.

How does the Snapshot feature work?

The snapshot feature is very useful for capturing all packets that match some specified criteria based on any L2-L7 (header through payload) information. For example, depending on the information you require, a snapshot can be used to verify a filter configuration, search for packets that match a specific IP for quick troubleshooting or assess any potential security issue by looking for a specific payload. If you look at the figure below, you’ll see that each Smart Port on a cVu device can hold up to ten snapshots before older captures are deleted to free up space for new captures. Think of this process as first in, first out (FIFO) where the first snapshots to be entered are the first ones to be removed.

Figure 1: Snapshot feature

To activate the snapshot directly from the cVu interface, simply check the “SNAP” checkbox as indicated on the top right of diagram seen below. An added benefit is the ability to use the snapshot feature from cPacket’s cClear, the management and visualization console.

Figure 2: Activating the snapshot from the cVu interface

Pcap files that are collected during the Snapshot can be retrieved from the Captures page.

Figure 3: Collecting pcap files

Now that you understand the snapshot feature, let’s talk about cVu’s second helpful tool: the triggered intercept feature.

How does the Triggered Intercept feature work?

Let’s say you want to drill down and investigate the network traffic leading up to an event. The Smart Filter specification can be used to set the midpoint of the capture buffer and packets before and after the “trigger packets” are captured. From a security standpoint, this feature is incredibly valuable because it provides the user the ability to understand network traffic before and after an event. When users are given accurate information regarding the incident in question, it allows them to make confident, more intelligent decisions. The diagram below shows the position of the trigger packet in the buffer as well as the amount of network traffic data collected before and after the event.

Figure 4: Position of trigger packet in the buffer

It’s important to note that triggered intercept differs from Snapshot with respect to how packets are captured. For example, rather than capture all packets that match the target criteria, the Smart Filter specification can be used to set a midpoint of the capture buffer and packets before and after these “trigger packets” are captured.

It’s also worth noting some similarities between the two functions. For example, like the snapshot feature, triggered intercept can be easily activated from the cVu’s Smart Filter page by checking the “TRIGGER” checkbox located at the top right of the screen. Captures that are collected based on the trigger can be retrieved from the captures page as seen below.

Figure 5: Capturing trigger packets

In sum, cVu’s snapshot and triggered intercept features are very effective in delivering access to packets according to specific header and payload criteria, even if the link operates at wire speed. Furthermore, these features eliminate the need to search for packets that may or may not exist in a large capture file. So, imagine having the ability to sample packets matching any combination of header and payload fields (L2-L7) and being able to capture this at wirespeed on many links in the network in parallel. Pretty innovative isn’t it?

Clearly, providing hardware performance at the wire offers a plethora of benefits: bottlenecks are eliminated, network traffic reaches its destination faster, reduces troubleshooting time and is far more cost effective than traditional methods.

Ready to learn more? Let us show you how these features and our cVu devices can optimize your network.