Abstract
We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.
| Original language | English |
|---|---|
| Pages (from-to) | 133-143 |
| Number of pages | 11 |
| Journal | Computer Software |
| Volume | 27 |
| Issue number | 4 |
| Publication status | Published - 2010 |
Fingerprint
ASJC Scopus subject areas
- Software
Cite this
NCAP - Distributed network capture with shared analysis. / Vixie, Paul; Murai, Jun.
In: Computer Software, Vol. 27, No. 4, 2010, p. 133-143.Research output: Contribution to journal › Article
}
TY - JOUR
T1 - NCAP - Distributed network capture with shared analysis
AU - Vixie, Paul
AU - Murai, Jun
PY - 2010
Y1 - 2010
N2 - We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.
AB - We describe NCAP, a new network capturing tool for distributed sensor systems. NCAP operates on messages rather than on packets, and so performs full IP reassembly at the point of measurement. The resulting data can either be managed as files or be transmitted as encapsulated UDP datagrams either unicast or multicast. The NCAP library is highly portable with C and Python interfaces, and has a plug-in mechanism whereby analysis logic can be written discretely and without regard to the handling of encapsulated datagrams or files. The primary application of NCAP is the Security Information Exchange, where cooperating distributed sensor operators now submit captured DNS traffic to a centralized location for subsequent long-running analysis. Examples of value added reprocessing and rebroadcast will be shown, as well as samples of captured traffic and of possible security problems illuminated by our analysis. These results will show that NCAP makes it possible to capture, share, and analyze live network data on a larger scale than has ever been done.
UR - http://www.scopus.com/inward/record.url?scp=78650816382&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=78650816382&partnerID=8YFLogxK
M3 - Article
VL - 27
SP - 133
EP - 143
JO - Computer Software
JF - Computer Software
SN - 0289-6540
IS - 4
ER -