How to troubleshoot security breach event with EXA8
When performing network troubleshooting several problems exist, though, with today's post, we will focus on two main issues. First, missing the error or security breach event entirely and, second, capture files too large for analysis.
The EXA8 can help in both of these cases. The rolling capture is a 24/7 continuous capture with up to 1TB SSD storage space. If the storage space is entirely occupied the system overwrites the old data automatically. In the case of a typical office with a 10 - 50 Mbit WAN connection, the EXA8 retains enough historical data for several days or even weeks worth of traffic. If you are lucky enough to find the event in a particular time window, you can select the time window on the graphical display and export it to a PCAP file. This is a considerable advantage compared to a manual capture.
But still, if you select too large of a time frame, the exported PCAP could be significant in size. So the EXA8 offers a second fresh option to help to reduce the size of the exported file: "The Index feature". This feature produces meta-information about the traffic during capture and is also stored on the EXA8. This Metadata contains the IP, Port, and Protocol and the position of the packet in the raw capture file.
Now it is possible to combine these two features, select the relevant time frame and then EXA8 produces a tabular metadata view of the Layer 3 pieces of information contained in this specific time frame. It is now possible to reduce the exported PCAP to a reasonable size.
The Index filter could also be used to display L3 information on all currently written to disk; the exports would be still very fast because we also have the packet information in the raw files.
A third feature to narrow down the traffic is during the export procedure with the use of tcpdump filters.
The workflow looks like this timeframe -> L3 index -> tcpdump filter.
Learn more about the EXA8