Packet Continuum FAQs
Lossless Packet Capture and metadata generation
(application and indicators of compromise)
Correct, no PCAP will be lost during routine system maintenance.
[Link to this FAQ]The Packet Continuum operates in passive mode on the network via tap or span ports.
[Link to this FAQ]The Packet Continuum can concurrently capture inbound and outbound PCAP for all traffic traversing the Internet Access Points you are spanning or tapping including IPv6 based traffic.
[Link to this FAQ]Search / Query capabilities
The Packet Continuum, when properly configured based on average and peak capture rates, allows captured PCAP to be query-able for no less than 14 days and with a target of up to 30 days without capability degradation.
[Link to this FAQ]The Packet Continuum supports the ability to query many different metadata fields in UTC format including, Source IP, Source Port, Destination IP, Destination Port, IAP location with a federation group or location, and directionality (ingress vs. egress), in any combination of parameters including query on IPv6 based packets
[Link to this FAQ]The Packet Continuum supports various capture timelines including beyond 30 days of PCAP and meta data retention based on ingest time, not on metadata fields.
[Link to this FAQ]The Packet Continuum does support federated queries, i.e. querying all deployed data repositories across all sites or specific sites.
[Link to this FAQ]The Packet Continuum does allow for users to access multiple federation managers to perform federated queries, at least 3 (one per capture device).
[Link to this FAQ]The Packet Continuum automatically ages packets and metadata off the system without system administrators having to manually prune data off the system.
[Link to this FAQ]Yes, Packet Continuum supports pivoting from queries and from internal or external events to queries.
[Link to this FAQ]The Packet Continuum supports the ability for users to share PCAP requests and saved queries with other users without rerunning the query.
[Link to this FAQ]Performance Requirements
The Packet Continuum can perform with no system degradation with 30+ analysts logged in concurrently.
[Link to this FAQ]Packet capture does not degrade when running queries, whether by a single user, or by all logged in analyst users.
[Link to this FAQ]The typical response times will only minimally degrade when running multiple queries and/or with all potential users logged onto the system - Minimal degradation refers to no more than a 30% slow down per active query. (E.G. 1 day query returns in 10s, 5 users running a 1 day query should return in NLT 22s).
[Link to this FAQ]Interface Requirements
By default, users have the ability to perform queries against defined metadata fields from a single interface for all PCAP across all IAP or capture points.
[Link to this FAQ]Correct, users will be able to query PCAP from a specific IAP or capture point.
[Link to this FAQ]Yes.
[Link to this FAQ]Yes, it does provide a single GUI from which to perform all actions.
[Link to this FAQ]Reliability Requirements
The Packet Continuum allows users to perform standard functions such as queries during routine updates / maintenance, excluding systems that are restarting.
[Link to this FAQ]The Packet Continuum will support software scheduled maintenance times for each site/system, such that upgrades can be performed without loss of data-ingest and only effecting queries on the boxes effected.
[Link to this FAQ]Yes.
[Link to this FAQ]Export, Integration, and API Requirements
Exports will be available in common PCAP formats. (Common PCAP formats are those that can be opened by common PCAP analysis tools such as Wireshark, TCPdump, & TShark.) Minimum Requirement = ".pcap" and “pcapng”.
[Link to this FAQ]The Packet Continuum supports large PCAP downloads without technical or timeout issues. A large download shall be defined as >= 20 GB.
[Link to this FAQ]The Packet Continuum includes an Application Programming Interface (API) to conduct sensor health checks based on Linuxtools.
[Link to this FAQ]The Packet Continuum does permit automated processes to securely interact with the system via the API for long periods of time without human-interactive authentication (e.g., using API keys).
[Link to this FAQ]The system will provide the ability for users to create watch lists, schedule daily runs, and share results between analysts.
[Link to this FAQ]System will allow users to operate out of the User Interface (UI) without the need to download the file locally.
[Link to this FAQ]Access Control Requirements
The Packet Continuum supports Single Sign-On (SSO). Users and Administrators will not have to specify username/password.
[Link to this FAQ]Yes, the Packet Continuum supports RSA token or PKI authentication for all user and administrator components; with the exception of automated system reporting or scheduled maintenance.
[Link to this FAQ]Yes, the Packet Continuum supports Role Based Access Controls (RBAC), to include admin users, analysts, and any other user types as defined by the program.
[Link to this FAQ]Operations and Maintenance
The Packet Continuum does provide a logging mechanism to capture metrics related to user queries.
[Link to this FAQ]The Packet Continuum does log the following values for each query: User, Query, Start Time, Completion Time, Size of Result Set.
[Link to this FAQ]The Packet Continuum does provide low/high/average query initiation-to-completion summaries by hour and by day.
[Link to this FAQ]The Packet Continuum does log the number of distinct queries and the total number of queries per day.
[Link to this FAQ]The Packet Continuum does have a utility that will display real time performance, including queries. It includes:
(a) average query speed and
(b) estimated time to complete a query
The Packet Continuum does support Simple Network Management Protocol (SNMP) version 3 for discovery and sending SNMP traps.
[Link to this FAQ]The Packet Continuum does generate SNMP traps for failure events and excess packet loss/throughput.
[Link to this FAQ]Yes.
[Link to this FAQ]The Packet Continuum does provide for a centralized management and monitoring system for remote monitoring and remote management of all the hardware and software components that comprise the FPCAP system located at each IAP site.
[Link to this FAQ]The Packet Continuum federation manager feature has the capability to scale to monitor and manage up to 100 capture nodes from each federation manager group.
[Link to this FAQ]The Packet Continuum federation manager does have a centralized management capability for performing subsystem maintenance tasks from a common interface that will include pushing operating system (OS)/firmware patches and upgrades.
[Link to this FAQ]The Packet Continuum does provide the capability to provide queries against centrally located metadata about the packets stored remotely so that analysts don’t have to retrieve packets from remote sensors in order to do analysis.
[Link to this FAQ]The Packet Continuum does have a GUI that is accessible via a world-wide web consortium (W3C)/internet engineering task force (IETF)-compatible web browser and a Web Browser access shall support 2-factor authentication (i.e. CAC + Password).
[Link to this FAQ]Yes.
[Link to this FAQ]The Packet Continuum does support authentication, authorization and accounting (AAA) by having the capability to (1) identify an individual managing the subsystem, (2) confirm their authorization to perform system actions, and (3) log their actions on subsystem components.
[Link to this FAQ]The Packet Continuum does support RBAC to establish and limit access to critical subsystem components, services, and information, based on an administrator’s job role and function.
[Link to this FAQ]The management interfaces of all components of the subsystem will support single sign on (SSO) for AAA of management activity (maintenance, configuration, or any other activities performed on the subsystem components).
[Link to this FAQ]The Packet Continuum does support RBAC of management activity (maintenance, configuration, or any other activities performed on the subsystem components).
[Link to this FAQ]The Packet Continuum is capable of being configured for interoperability with the active directory (AD) subsystem for SSO, RBAC, and AAA.
[Link to this FAQ]Yes.
[Link to this FAQ]Yes.
[Link to this FAQ]