Network Packet Capture (PCAP) Tool

A network packet represents the smallest measure of data capable of travelling through a network. A network packet typically contains several pieces of information, including the data it’s carrying and source and destination IP addresses. Depending on the type of network, packets may be referred to by another name: frame, block, cell, segment, etc.

When network packets are sent over the internet or through a network, each unit sent contains both header information and the actual user data being transmitted. The header’s job is to identify the source and destination of the packet, while the data being sent is referred to as the payload. Since the header information—sometimes referred to as overhead data—only provides value during the transmission process, it’s removed from the packet by the time it reaches its desired destination. As such, the payload is the only data used by the destination system. An example of overhead data might be source and destination network addresses, error detection codes, or sequencing information.

Generally, network packets move around a packet-switched network. The term packet-switched refers to a type of network in which packets are routed through a network based on the destination address contained within each unit of data. By breaking network communications into packets, the same data path can easily be shared among various users on the network. This method of data communication is known as a connectionless network (as opposed to a dedicated network).

It’s also useful to recognize packets can contain some of the following elements:

• Addresses: Network packets require at least two network addresses to be routed properly—the address of the sending host (source address) and the address of the receiving host (destination address).
• Error detection and correction: Error detection and correction—sometimes referred to as error control—are digital communication techniques ensuring the reliable delivery of digital data over unreliable channels. A majority of network communication channels are prone to channel noise, and as a result, errors can easily occur during transmission from the source to a receiver.
• Hop limit: A hop is when a network packet is moved from one network segment to the next. As such, a hop count refers to the number of intermediate devices (like routers) data must pass through while traveling from its source to its destination. Accordingly, hop limit specifies the number of hops a packet is allowed before it’s discarded by the network.
• Priority: Certain networks deploy a quality of service check which means certain packets will be given priority over others. As such, this field identifies which packet queue should be followed. In an area where there may be network congestion, a high priority queue will be emptied more quickly than a lower priority one.

Packet capture is a computer networking practice used by IT teams and system administrators and involves intercepting an in-transit data packet traveling over a specific packet-switched network. Once the packet is captured, IT teams temporarily store it, so they can analyze it for useful information.

Packets are inspected in this manner because they can help IT teams diagnose and solve network problems potentially affecting daily operations. SysAdmin can also use the information gleaned from inspection to determine if network security policies are being followed. The process of capturing data packets across a computer network is sometimes referred to as packet sniffing as well.

Moreover, a packet monitor can be used to help IT team complete several important IT tasks, including:

• Analyzing problems occurring in your network
• Detecting intrusion attempts
• Detecting network misuse by both internal and external users
• Demonstrating compliance by logging endpoint traffic
• Isolating compromised systems or sections of a network
• Monitoring WAN utilization, including bandwidth and traffic volume
• Surveying WAN and endpoint security
• Tracking network usage, including data in transit
• Collecting and reporting insightful network statistics
• Highlighting suspicious content in network traffic
• Acting as a data silo for daily network monitoring management
• Spying on internal users to collect permissions information like login credential or user cookies
• Reverse engineering proprietary protocols used on the network
• Debugging communications in client-server environments

Network managers use packet capturing to analyze and manage their network traffic and performance. But because no two networks are the same, and since different admins might want to gain different insights from their network traffic capture, various packet capture techniques are utilized by different IT teams.

To understand how a packet monitor works at a high level, consider first a computer (or another device) only programmed to look at the packets specifically addressed to it. A computer will ignore the rest of the traffic passing through the network unless otherwise specified. With a packet capture installed on a network, the computer interface will be set to promiscuous mode, which means it will look at everything travelling through the network. This allows it to see all packets, so it can inspect anything a SysAdmin tells it to. This is the basis of how packet capturing works.

Drilling down further, there are two fundamental approaches an IT team can take when performing packet capturing:

• Filtered packet capture involves capturing only certain packets of data containing the specific sets of information SysAdmin want to monitor
• Unfiltered packet capture involves capturing all of the packets passing through a network

The filtered method of packet capturing is often referred to as a process called packet filtering. Packet filtering is a specific firewall technique IT teams will implement to better manage and optimize network performance by monitoring outgoing and incoming select data packets.

To perform packet filtering, IT teams will apply filters over points where data is captured during its transmission process (typically network nodes, devices, and hardware). IT teams will then select the types of data they want to capture using conditional statements on their various network points. IT teams will then set filtering rules allowing certain packets to either pass through selected network points or be stopped based on the source and destination IP addresses, specific protocols, or ports. For example, a filter can be configured to capture data coming from a specific router if it contains a specific IP address. Packet filtering is also sometimes referred to as static filtering.

Packet filtering helps IT teams carry out packet capturing by ensuring the source and destination IP addresses both match one another. If they do, the packet will be marked secure and verified. But because a sender might utilize different applications and programs, packet filtering also checks source and destination protocols, like a User Datagram Protocol (UDP) or Transmission Control Protocol (TCP).

Packet filtering is usually an effective way to carry out packet capturing since it can be used as a defense against attacks from computers outside a local area network. Because many routing devices have built-in filtering capabilities, packet filtering is frequently considered a baseline process and thus a cost-effective way of boosting security via the packet capture processes.

Additionally, while packet filtering can be one way IT teams implement packet capture analysis, a common way to analyze network packets is via complete packet capturing, aka unfiltered packet capture. This involves capturing the full packet—both the header and the payload data. Unfiltered packet capturing works by collecting any data passed through a network and copying it onto the hard disk as it passes through. These copies can then be analyzed carefully for specific information or patterns.

In some cases, it’s important to monitor payload data since this section of the packet encompasses the actual meaningful data. However, for most monitoring purposes it’s enough to track only metadata, as this allows for valuable analysis around latency and other key metrics without requiring your system to take on the heavy load of processing large amounts of payload data.

When a user connects to the internet, they’re joining a large switch packet network run by your organization’s internet service provider (ISP). The ISP’s network communicates with networks maintained by other ISPs, and this forms the foundational base of the internet. A packet monitor can potentially monitor an array of your user’s online activities, including:

• What websites were visited
• What data was downloaded from said sites
• A list of email recipients
• The contents of any sent email from a network computer
• What a network user viewed when visiting a website
• What streaming sites are used (including audio, video and digital telephony streaming)

This helps provide a paper trail in case of a security incident, and acts as a way to log user activity to secure network access and show compliance.

Packet capture is important because it helps IT teams deal with network problems with greater ease and efficiencies.

Typically, when IT teams are tasked with managing their organizational network problems, admins will usually follow standard tests to locate the root cause of a problem and make adequate amends to correct it. These tests generally involve checking the source IP address (from the client and host), gateways, DNS server, and others, to verify connectivity with the local network and destination IP.

Although these steps are usually enough to diagnose simple problems, they don’t do enough to solve complex network problems. For complex issues, IT teams need a packet capture tool.

A packet capture system can help IT teams collect and analyze packet data, so they can more quickly gain basic, yet useful, packet information like time of capture, source and destination IP addresses, and protocol information.

With a packet capture system in place, IT teams can fulfill the following important duties:

• Fortify your security: Analyzing packets can give IT teams the requisite data to identify security flaws and breaches since it helps them determine a point of intrusion during a breach or security incident. Sudden spikes in network traffic, for instance, are often a good sign of a problem.
• Identify points of data leakage: By analyzing and monitoring payload content, IT teams can ascertain a data leakage point and understand the root cause behind the issue.
• Improved network troubleshooting: Data packet capture can help network administrators improve their troubleshooting efforts by granting them full visibility over a network resource.
• Locating data and packet loss: If a threat actor exfiltrated data from your organization, data packet capture can help the network administrator retrieve the stolen or lost information by acting as a paper trail of activity.
• Forensics: If malware, viruses, computer bugs, or other intrusions infect your organization’s computers, packet capture can help the network administrator determine the amount of damage caused by the problem. Once an initial analysis is completed, a SysAdmin can block network segments and traffic for certain network locations and mitigate the risk of losing important historical information and network data.

A packet capture tool helps IT teams perform packet capture analysis. It works by capturing network packets and storing them on either local or off-site storage, so they can be inspected by IT teams.

Usually, these tasks are impossible to carry out manually. It’s unrealistic to expect IT teams can stop every packet traversing their network. As such, a network packet capture tool will automate the process, and enable IT teams to set rules and filters to better monitor network traffic.

In addition to this basic monitoring capability, packet capture tools usually have a ton of helpful features, including:

• Real-time viewing of arriving packet counts
• Packet arrival time stamping
• Displaying of packet data like source and destination IPs or protocol type
• Parsing and collecting of port numbers, packet length, or TCP sequence numbers
• The ability to extract and export single packet data into a single packet capture file (usually .cap)
• The ability to load and import a past session from a previously saved capture file

SolarWinds Network Performance Monitor (NPM) is a robust cloud-based SaaS helping IT teams monitor the health and performance of large-scale enterprise networks. Along with a myriad of other helpful use cases, one of its primary functions is as a network packet capture tool.

NPM can help IT teams check application and network response time, so they can gain better insights into how end users are experiencing network performance. With the aid of this feature, IT teams can determine what’s causing a network to slow down, whether it’s an application or an issue with the network itself (like a faulty router or path congestion).

Additionally, NPM allows IT teams to identify their network traffic for over 1,200 applications, so they can better organize and evaluate what kind of data is passing through their networks. This insight can help admins understand current user experience across their network. What’s more, NPM enables IT teams to spot outlier traffic patterns, a potential sign of network intruders.

NPM ties all features up with advanced alerting and notification. With the ability to set alerts for critical changes and activity, IT teams will never miss a beat on their network activity.