NCAP - Distributed network capture with shared analysis

Paul Vixie, Jun Murai

Research output: Contribution to journalArticle

Abstract

We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.

Original languageEnglish
Pages (from-to)133-143
Number of pages11
JournalComputer Software
Volume27
Issue number4
Publication statusPublished - 2010

Fingerprint

Sensors

ASJC Scopus subject areas

  • Software

Cite this

NCAP - Distributed network capture with shared analysis. / Vixie, Paul; Murai, Jun.

In: Computer Software, Vol. 27, No. 4, 2010, p. 133-143.

Research output: Contribution to journalArticle

Vixie, Paul ; Murai, Jun. / NCAP - Distributed network capture with shared analysis. In: Computer Software. 2010 ; Vol. 27, No. 4. pp. 133-143.
@article{f8850daedc794ee6a9ef11b9a9f80cef,
title = "NCAP - Distributed network capture with shared analysis",
abstract = "We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.",
author = "Paul Vixie and Jun Murai",
year = "2010",
language = "English",
volume = "27",
pages = "133--143",
journal = "Computer Software",
issn = "0289-6540",
publisher = "Japan Society for Software Science and Technology",
number = "4",

}

TY - JOUR

T1 - NCAP - Distributed network capture with shared analysis

AU - Vixie, Paul

AU - Murai, Jun

PY - 2010

Y1 - 2010

N2 - We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.

AB - We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.

UR - http://www.scopus.com/inward/record.url?scp=78650816382&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78650816382&partnerID=8YFLogxK

M3 - Article

VL - 27

SP - 133

EP - 143

JO - Computer Software

JF - Computer Software

SN - 0289-6540

IS - 4

ER -