Sometimes, we cannot find the key of the problem from just a small trace file. We may find the trends of traffic and discover traffic anomalies from trace files over a month. But there may be times when we need to look for the security problem over huge forensics trace files. In these situations, for troubleshooting and security investigations, long-term traffic capture is important.
However, bringing a packet analysis PC into an enterprise network is not an option. A PC (Windows or Linux) has a lot of vulnerabilities, such as OS security, many interfaces, such as Wi-Fi, Wired and USB, and application problems. That's why using a ProfiShark portable packet device with a PC in the customer’s network is difficult, because security and stability cannot be guaranteed.
That’s why Profitap came up with a solution for ProfiShark devices: the ability to connect directly to a NAS system. We can now capture, create and transfer trace files straight to a NAS, without the need of a PC. A NAS can also be set up with extensive storage, and provides fault tolerance, such as RAID.
A NAS is much more stable than a PC, and doesn't require a lot of time or money to turn into a capture system for long-term traffic capture analysis. The only thing you have to do is install the ProfiShark package on an Intel-based Synology NAS system, and then connect a USB 3.0 cable from the ProfiShark to the NAS.
Of course, you can use ProfiShark's full functionalities, such as ringbuffer or normal capture mode, and split capture to different files based on time and size. And more, ProfiShark with a NAS solution comes with great statistics screens, pie charts and histograms for long-term traffic.
Long-Term Capture Hands On
For the following long-term capture hands-on, we used a ProfiShark 1G connected with a Synology NAS. All configurations are done in the Web UI of the NAS.
▶ Note: We used the ProfiShark NAS solution demo site.
STEP 1: LOGIN
Log into Synology NAS via WebUI, then click the top-left menu button to access the ProfiShark icon. The ProfiShark window appears.
Figure 2: Synology NAS WebUI + ProfiShark window
STEP 2: CAPTURE STATUS
Check Capture status in the ProfiShark window. This time “Connected Profishark-1Gv5” is shown in Device status, and we can check the capture status, total captured bytes, and so on.
You can also control the capture by pushing the ‘Start capture’ and ‘Stop capture’ buttons. And if you want to set specified in-line ports and slicing, you can do so in Device Configuration section.
Figure 3: Capture status and Device Configuration section
STEP 3: LONG-TERM CAPTURE SETTINGS
Now you can set the long-term capture settings in the Capture configuration section, and also set the path of trace files in Capture directory.
If you want to overwrite the oldest file, check the "Ring buffer" box. You can set Maximum files, Maximum file size (in MB) and Maximum file duration. In this case we need to capture and create hourly trace files for a month in /capture directory. We set it all up as below:
Figure 4: Capture configuration section
STEP 4: LONG-TERM CAPTURE STATISTICS
You can also check dynamic statistics in Statistics section as well as bar and pie chart on the right window.
The statistics tables consists of Bytes, Valid Packets, Packets with size < 64, Packets with size between 64 and 1518, Packets with size > 1518, Collisions, CRC errors and Jabber by Port A total, Port A/s, Port B total and Port B/s.
If you want to reset counters, simply push the ‘Reset statistics’ button.
Figure 4: Statistics section and Graph
For long-term capturing, ProfiShark traffic capture solution with a Synology NAS provides a powerful, flexible and cost-effective solution for enterprise monitoring.
This article is an extract from "ProfiShark Long-Term Capture Review" by Megumi Takeshita — Network Analyst and Packet Analysis Hero