NCAP - Distributed network capture with shared analysis

Paul Vixie; Jun Murai

NCAP - Distributed network capture with shared analysis

University

Research output: Contribution to journal › Article › peer-review

Abstract

We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.

Original language	English
Pages (from-to)	133-143
Number of pages	11
Journal	Computer Software
Volume	27
Issue number	4
Publication status	Published - 2010

ASJC Scopus subject areas

Software

Access to Document

Fingerprint Dive into the research topics of 'NCAP - Distributed network capture with shared analysis'. Together they form a unique fingerprint.

Cite this

@article{f8850daedc794ee6a9ef11b9a9f80cef,

title = "NCAP - Distributed network capture with shared analysis",

abstract = "We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.",

author = "Paul Vixie and Jun Murai",

year = "2010",

language = "English",

volume = "27",

pages = "133--143",

journal = "Computer Software",

issn = "0289-6540",

publisher = "Japan Society for Software Science and Technology",

number = "4",

}

TY - JOUR

T1 - NCAP - Distributed network capture with shared analysis

AU - Vixie, Paul

AU - Murai, Jun

PY - 2010

Y1 - 2010

N2 - We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.

AB - We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.

UR - http://www.scopus.com/inward/record.url?scp=78650816382&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78650816382&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:78650816382

VL - 27

SP - 133

EP - 143

JO - Computer Software

JF - Computer Software

SN - 0289-6540

IS - 4

ER -