cubro blog headerpic with technical details, icons

How to troubleshoot security breach event with EXA8

When performing network troubleshooting several problems exist, though, with today's post, we will focus on two main issues. First, missing the error or security breach event entirely and, second, capture files too large for analysis.

The EXA8 can help in both of these cases. The rolling capture is a 24/7 continuous capture with up to 1TB SSD storage space. If the storage space is entirely occupied the system overwrites the old data automatically. In the case of a typical office with a 10 - 50 Mbit WAN connection, the EXA8 retains enough historical data for several days or even weeks worth of traffic. If you are lucky enough to find the event in a particular time window, you can select the time window on the graphical display and export it to a PCAP file. This is a considerable advantage compared to a manual capture.  

 

Full capture view

 

But still, if you select too large of a time frame, the exported PCAP could be significant in size. So the EXA8 offers a second fresh option to help to reduce the size of the exported file: "The Index feature". This feature produces meta-information about the traffic during capture and is also stored on the EXA8. This Metadata contains the IP, Port, and Protocol and the position of the packet in the raw capture file.

 

“Selection of a time frame + the metadata of the selected time frame”
Selection of a time frame + the metadata of the selected time frame

 

Now it is possible to combine these two features, select the relevant time frame and then EXA8 produces a tabular metadata view of the Layer 3 pieces of information contained in this specific time frame.  It is now possible to reduce the exported PCAP to a reasonable size.

 

This table shows all L3 metadata captured in the selected time frame
This table shows all L3 metadata captured in the selected time frame

 

The Index filter could also be used to display L3 information on all currently written to disk; the exports would be still very fast because we also have the packet information in the raw files.

A third feature to narrow down the traffic is during the export procedure with the use of tcpdump filters.

The workflow looks like this timeframe -> L3 index -> tcpdump filter.

 

  

Rolling Capture & Indexing for Network Troubleshooting 

 

Learn more about the EXA8

 

 

 

Leave a comment

You are commenting as guest.

always up to date stempel
Newsletter
CONTACT

  • Cubro Network Visibility
  • Ghegastraße 3, 1030 Vienna Austria
  • Tel.:+43 1 29826660
  • Fax: +43 1 2982666399
  • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.