Lossless Packet Capture & Log Manager,
With Deterministic Performance
Lossless packet capture, with data enrichment, is the immutable ground truth of any critical event – not merely an interpretation. Packet Continuum provides a performance guarantee of sustained lossless capture rate, for a set of real-time packet analytics (Log Manager) functions, and a specified number of Packet Continuum cluster nodes. This means a deterministic guarantee to capture every packet under real world conditions, not just a “best effort” attempt.
- Lossless packet capture from 1Gbps, to 40Gbps, to 100+Gbps telco interfaces
- Time stamping of 150 nanoseconds
- Real-time indexing, for efficient query and retrieval of retrospective PCAP data or IPFIX records
- Real-time IDS alert configurator generates event logs for HTTP, Files, DNS, email, user agents, TLS/SSL, VOIP – all cross-correlated with PCAP & IPFIX flow records
- Log Manager advanced packet analytics options include real-time event logging & cross-correlation:
- Behavior and Signature Visibility
- Multi – signature and behavior event logging
- Simplified search and logging for Email, HTTP, SMTP, Files, DNS, User Agents, TLS/SSL
- Active Triggers (BPF signature)
- 100 Snort rules (emerging-DNS, emerging-ftp, and files)
- System events
- Log Manager search actions:
- All logs are time-correlated with PCAPs and IPFIX data
- Text string search of logs
- IPFIX flow record logging and search
- Scalable architecture to meet your speed and/or analytics requirements
- Federate multiple cluster-based capture systems, for global visibility and PCAP retrieval
Packet Continuum simplifies your workflow by integrating endpoint behavior and network signature visibility and DPI with a simple pivot to the sessionized network data, enriched metadata and file recovery. Mitigate the nearly 2/3 of breaches per incident that are easy to catch, like administrative issues, by implementing effective, basic cyber practice policies by tracking user agent signature characteristics, email and file exfiltration.
labor / cost reduction
Combine zero day alerting and pivot for analysis/mitigation and historical post breach forensics analysis including “cyber-espionage,” “point-of-sale intrusions,” and “privilege misuse.” Reduce the cost of network recording software and systems needed for medium and large networks.
Reduce labor needed for identification of indicators of compromise with an easy process to pivot to sessionized data / enriched meta data and reconstruct email and files for review.
Multiple features enable labor / cost reduction including
- Real-time Data Compression: In-line packet compression is transparent to the user. All packets are compressed as they are captured, and all extracted PCAP files are decompressed. Overall storage amplification up to 10x (depending on percentage of traffic with SSL encrypted or compressed packet payloads)
- Cluster architecture leverages CPU power over many servers for super-fast query response, while enabling low-cost local-attached storage on a massive scale. Forensic timelines smoothly scale over days, weeks & months.
- Massive queries over large timelines respond quickly, even as the timeline increases
- Federated search across multiple Packet Continuum appliances at diverse geographic locations, without any “concentrators” required
Behavior / Signature Visibility & Logging
The log manager’s enhanced search capabilities allowing integrated pivot to PCAP and enriched metadata enables behavior and signature visibility.
The IDS Alert configurator and DPI Analyzer enable multi-level signature and behavior event session search and logging. This gives you the ability to configure groupings of signature and unusual behavior alerts dynamically from a grouping of 30,000.
The real-time IDS alert configurator generates event logs for HTTP, Files, DNS, email, user agents, TLS/SSL, VOIP – all cross-correlated with PCAP & IPFIX flow records.
Email Search / Extraction
Identify and search email strings and subjects. Email extraction feature includes sender, receiver, subject line and text reconstruction.
- SMTP email session logging with body text in HTMP format and file attachment reconstruction from original Mime format
- SMTP subject, send and receive email address logging
Log Manager email tab showing SMTP email session extraction and reconstruction of email attachment as Excel file with original content and metadata file
Packet Continuum simplifies the email session logging process with pivot to sessionized search and file recovery.
- Free form text search capability
- Clickable by event
- Second click initiates packet session recovery and file reconstruction
- Just two more clicks to the reconstructed file and meta data for that HTTP or SMTP email session
- All viewable and downloadable
List of SMTP emails sessions searchable with time stamp, capture node location, session information, and SMTP email address, sender / receiver. A user can click to get the full session packets, extract email subject / text and reconstruct file attachments in original mime format, PDF, doc, etc.
File Leakage / Exfiltration
Packet Continuum enables
- HTTP, email and file transfer session logging and file identification
- Identification and reconstruction of files and associated metadata in original mime type for viewing and analysis
File Leakage Session showing logs and pivot to session search and file reconstruction with metadata
TLS / SSL Visibility
Gain visibility into TLS / SSL encrypted sessions. Log and extract sessionized PCAP data via timestamp, capture node and session information for recovery of sessionized packets, then offload them to WireShark using customer provided keys.
Packet Continuum’s new Federation Manager allows you to federate multiple capture appliances in multiple locations.
- Remote control capability via browser and REST API
- Federated View of all data
- Map-reduced framework to extract out packets, DPI data and logs across federation
Federation manager dashboard for easy identification of Packet Continuum appliances/clusters that can even be in different physical locations. Your enterprise network can identify the IP address of each appliance and federate together for a single pane of glass view of all network data.
Federated search across PCAP data, DPI log data and flow records, as well as email text and files for reconstruction.
Federated list of SMTP email sessions with time stamp, capture node location, session information, and SMTP email address, sender, and receiver. The user can click to obtain full session packets, extract email text, subject and reconstruct attachments in their original mime format, PDF, doc etc.
Scalable / Federated
Packet Continuum’s highly scalable, high performance network data recorder provides for forensics investigations based on breach detection and changed threats within a reasonable forensics timeline.
- Lightweight, federated control and off-load of data capability
- Scales up smoothly for any combination of desired goals for capture speed, IDS alerting, Log manager functions and extended forensic capture timeline
- Scalable to multiple “cluster nodes”
- Increased sustained capture rates
- Increased packet analytics thruput
- Extended storage timeline
- Capture nodes push packet processing operations to distributed Cluster Nodes enabling
- PCAP storage, compression and indexing
- Log Manager functions
- Federated search operates in parallel within the cluster enabling incredibly fast streaming results even with very large capture timelines
- Cluster ready for smooth scale up to very high performance
- Dynamic node management
- Hot swap / expand
Up to 100 “federated” capture appliances, where each Analyst has access to the federation via a web-based UI, without any need for intermediary data collectors or data concentrators.
Portable / Deployable
Packet Continuum is available on multiple platforms and custom configurations. The software layer provides common features (like a Web GUI, REST/API, and real-time packet analytics functions) on a variety of platforms, ranging from cost-efficient rackmount systems to unique high-throughput portables. Many of these powerful functions are standard on all systems, and many can be turned on or off, depending on the user application, to tune the solution for an optimal price/performance outcome.
Fast Query / Streaming
- Fast, Streamed Query Results
- Every query has the option to return PCAP files, IPFIX records, and/or any log files.
- All results are streamed in “chunks”, allowing partial results to be analyzed while the remaining query is completed, the first of which appear almost immediately after the query initiates.
- Historical “look-back” queries based on standard Berkeley Packet Filter (BPF) within a time period.
- Active Trigger “look-forward” alerts, BPF-based and user-defined, can generate dozens of simultaneous alerts when the target condition occurs.
- Pre-capture filters (BPF-based) can be changed on-the-fly during capture operations
- All historical logs searchable by text string
- Real-time indexing
- Every packet gets a timestamp and correlation index
- Every log & alert event is cross-correlated to PCAPs and IPIX flow records
- Streaming Playback Feature
- PCAPs that have been searched/filtered/extracted with the Packet Continuum UI may be regenerated out a 1G copper RJ45 interface to an external device
- Compatible with ANY 3rd party capture/analysis tool – just like a span/mirror port.
Great for recording, additional packet/signature analysis, or back-testing new firewall policies against real historical traffic.
Open Data interfaces
Packet Continuum’s open interface enables use of 3rd party commercial and open source tools from SIEM for additional cyber analytics.
- Open file formats and data viewers
- Standard PCAP-NG file and IPFIX record extractions viewable in WireShark or TShark
- Log files and alerts viewable as CSV or text files in any compatible application such as MS Office.
- Remote Access to file extractions with Web GUI
- PCAP playback feature for 3rd party tools
Open REST/API for creating custom workflows to automate Incident Response, Policy-driven data retention, or interface to legacy analytics tools.
Web UI & REST API
- Innovative dynamic Sankey session relationship diagram show top-talkers and SRC/DST IP/port pairs
- One-click searches directly from Sankey, Time Graph or Critical Alerts log auto populates the query request, simplifying the process of locating PCAP files
- Packet Continuum allows sessions, packets, alerts data and DPI data to be viewed without external tools or downloading to the local system. Besides viewing, user also has the capability to create more concentrated and focused searches from the view data available.
- Comprehensive Log Manager screen with tabs for each log type, allowing instant search and correlation with PCAP and IPFIX flow records
- Remote access to manage and control multiple devices including hot accessible cluster node changes
- Control of multiple clusters in a global-dispersed federation of capture systems
Trusted / Threat IP Detection
Asset IP Monitoring
Packet Continuum enables identification, monitoring, viewing and automatic approval of Critical IPs (essential infrastructure) as well as Trusted Asset IPs (host IP addresses defined as safe).
From the Packet Continuum Log Manager or Sankey Graph, users can:
- Upload, view or delete lists of identified Asset IPs
- Set alerts based on identified assets
- Monitor / view sessions containing specified assets as the source or destination
- With one click, view detailed PCAP session information where an asset is identified
Threat IP Monitoring
Packet Continuum enables identification, monitoring, viewing, and mitigation of pre-defined Threat IPs as well as user-defined IPs. Packet Continuum comes pre-loaded with a known list of Threat IPs; a number of malicious IPs previously identified by trusted sources such as US-CERT, for your protection.
From the Packet Continuum Log Manager or Sankey Graph, users can:
- Upload/enable, view or delete/disable lists of identified Threat IPs
- Set alerts based on identified Threat IPs
- Create Active Defense actions (via user criteria or Suricata rules) to be taken when a Threat IP is identified
- With one click, view detailed PCAP session information where a threat is identified
When a Threat IP is identified as present in a session, the system generates a severe alert and a pre-defined Active Defense action can be executed or, if one is not available, alert info can be sent to an external server.