ThreatEye How-To Guide: Intelligent PCAP
How to Apply Intelligent Packet Capture
Intelligent packet capture is easy to configure yet extremely powerful.
The below screenshot is the web view of the Omnipeek UI. It manages all LiveAction appliances, including LiveWire Edge, LiveWire Core, Power Core or LiveWire virtual. As soon as a LiveWire is purchased, go to the to the IP address associated and this UI will pop up on the home page.
This is the “Home” view:
Let’s move to the “Captures” view:
The “Captures” area shows current captures. On the right-hand side, you can select the box for “+ New Capture.”
Within the “ + New Capture” view, there is an option to select “Intelligent CTD”. This stands for Capture to Disc. Check the box to turn it on. Once a new data capturing session begins, the Intelligent Packet Capture setting will be applied.
What does Intelligent Packet Capture do?
Intelligent Packet Capture slices off the encrypted portion of the packet at the payload. Most traffic that travels across the web today is encrypted, HTTPS using SSL. In most cases, the customer does not have the appropriate key to decrypt the data, resulting in storage space used for encrypted data that is useless to the customer and that could be reallocated to longer data retention times.
Why is It Called Intelligent Packet Capture?
The reason we call it intelligent is for two reasons:
- LiveWire is smart enough to recognize which flows have encrypted payloads and which internet protocol is being communicated.
- LiveWire is smart enough to know where to slice the packet to leave a full packet header. The header is a different size depending on the protocol used. For example, for HTTP the packet is sliced after the 64th bite or if it’s e-mail, it’s sliced after the 32nd bite.
Want to step through this or any part of the UI together? Schedule a quick demo and we’ll walk through your use case.