Return to Blog

Why is Timestamping Important for Packet Capture

by Profitap | May 30, 2018 | ProfiShark, Network Security

Everything happening on the network is time sensitive, that’s why timestamps are extremely important when we’re talking about packet capture and analysis. This feature can not only prevent and analyze cyberattacks, but it can also allow you to examine trends and network latency. 

Network packet timestamping can be used to investigate various events that, one way or another, have affected your network performance. For instance, tracing the arrival of packets gives you an idea about the original traffic, so that you can calculate perlink metrics, like utilization figures, or performance of applications, such as TCP flow throughput, delay, and jitter. 

 

Laptop_TimestampingProfitap

 

The Need for Timestamping 

This increasingly vulnerable digital world has made cybersecurity a priority for companies worldwide, small or big. There isn’t a security team out there that hasn’t struggled at least once with critical virtual threats.

To be able to counter (and even prevent) virtual attacks or system errors, these teams need complete access and visibility to their networks. In other words, they need products that have the ability to capture and correlate packets for a chance to early detect and prevent threats. 

 

The ability to timestamp packets with high precision is, therefore, essential to understanding what is going on in the network at a packet-by-packet level. An accurate time information is important for legal and criminal investigation, and the same applies for an accurate forensic analysis. 

 

Efficient visibility platforms should include advanced network access devices (including Network TAPs and Network Packet Brokers) to forward data packets from their source to their destination. Almost all of their features require accurate timing, in other words, they need to support timestamps.

 

What Does Timestamping Exactly Mean

A timestamp is a sequence of characters that can help you identify when a certain event occurred, by giving you the actual date and time of day, sometimes accurate to a small fraction of a second.

In a nutshell, a timestamp is a snapshot of the local system time, associated with incoming and event outgoing packets. It’s used to specify the moment a packet is forwarded through your network access device. 

There are ingress timestamps - specifying the moment the first bit of the packet was received by the device - and egress timestamps - specifying the moment the first bit of packet was transmitted out of the device. 

 

Incorrectly timed packets will cause a delay in identifying and resolving the issues, which makes timestamping essential.

 

With some TAPs packets can be processed out of order, depending on their size. Normally this would be solved by the network stack, but this is not the case in a capture scenario. 

Knowing the exact time when the first bit of the packet was received by the TAP (ingress timestamp) makes sure packets that are processed out of order don't become a problem when analyzing the Pcap file. With an accurate timestamp in place, they can be easily sorted with a packet analyzer tool like Wireshark.  

 

An Essential Feature for Cybersecurity

An important requirement when starting to capture packets is knowing the exact date and time when they were captured. This can be especially important in many applications and/or situations where different timezones are involved, such as compliance, troubleshooting, capacity planning, intrusion detection and prevention of cyberattacks and so on.

Therefore, it becomes a must for advanced capture devices to have at least nanosecond precision timestamp built into their hardware. This ensures packets contain the actual time of their occurrence over the network.

That specific time stamped on the actual packet can also help you measure network delays and performance monitoring. Also, it can be very important for sampling and analysis, or in logs and reports to record the time when a certain event happened.

Cybersecurity_TimestampingProfitapWhen it comes to troubleshooting a network and application issue or performing security forensics is extremely practical to see the data in real-time. During a network crisis, the network and system teams blame each other for the absence of any correlation between network and server data that matches packet to packet response times. 

Having a packet capture tool that is able to correlate the packets on the network in real time, and has timestamping capabilities is key to ensuring that an issue is rapidly resolved. It also ensures an issue will not have a chance to escalate, as it is instantly identified.

 

Timestamping with ProfiShark

The ProfiShark series are powerful, compact network capture devices dedicated to network analysis and troubleshooting. They deliver ready to analyze capture files, the only additional hardware you need is a laptop or desktop PC with a free USB 3.0 port.

All ProfiShark network TAPs feature timestamping functionalities. They can capture and transfer packets in real-time with 8 nanosecond resolution timestamping at the hardware level, on each packet as it enters the TAP device. This allows real-time protocol analysis of captured traffic with nanosecond resolution.

ProfiShark provides not only timestamping but also line rate captures, a combination that is unique on the market.  

ProfiShark 10+ with Timestamping

When the timestamp featured is enabled, the ProfiShark adds a Unix formatted timestamp on the header of the packet data, which then your network analyzer can decode in live and direct capture mode. We recommend using Wireshark for analyzing, but the ProfiShark is compatible with many other popular analyzers too.

 

Moreover, the ProfiShark 1G+ and 10G+ include GPS and PPS functionalities, for advanced timestamping. This keeps your full packet capture system set to current time, for a quick and accurate forensic analysis.

 

The GPS chip can retrieve the UTC time and synchronize it with the internal PPS, with a precision of ±16 ns. The + models can also retrieve the time via SNTP, or use the internal RTC (real-time clock) and synchronize it via an external PPS signal. A PPS output is possible, for synchronisation with another ProfiShark device, or with any other device accepting PPS input.

These timestamps features can be combined in different ways, providing multiple possible options for accurate and precise timestamping of your live packets.

Don't forget to read our Evolution of Portable Packet Capture Solutions article to find out what are the portable network TAPs out there and how our ProfiShark series give you true portability. 

 

The Future of Portability in Network Monitoring White Paper

 

Recent Posts