What’s a packet capture?

Print anything with Printful



Packet capturing involves collecting data packets as they travel across a network. Deep Packet Capture (DPC) captures the entire packet, including the data payload. Packet capture can occur on any layer above the physical layer, and can be filtered to conserve resources. Packet capture is used for intrusion detection, data security, and network performance analysis. Packet capture programs include Wireshark and WinPcap.

Packet capturing is simply the process of capturing data packets as they travel across a computer network. With normal packet capture, only ancillary data contained in a packet header is collected, such as address information or packet Internet Protocol (IP) format. In the case of Deep Packet Capture (DPC), the entire packet is captured, both the header information and the actual data payload. The process is also often referred to as packet sniffing.

Whatever the packet capture method, the process can take place on any of the layers of the open systems interconnection model (OSI) above layer one, the physical layer, since the physical layer only works with bits in the form of electrical signals . Packet capture does not occur until the streams of ones and zeros are converted back into data packets that can be collected. On a given network interface, collection can only occur for packets destined for the address that belongs to that interface, unless the interface is configured for so-called promiscuous mode. A promiscuous network interface is capable of capturing not only its own packets, but also those intended for others.

When a network administrator wants to capture packets from a network interface, he has the option of a full collection or a filtered collection. A complete collection has no boundaries, so all packets traversing the interface are captured. When packets are filtered, however, they are evaluated as they traverse the interface and only a few packets that meet specific criteria are collected. This allows the administrator to store only the types of packets he is interested in or packets going to certain addresses. Filtered collections also conserve hardware resources and can be used to round up packets that may be needed later to prove guilt.

There are many purposes behind packet capture, all of which revolve around the notion of Deep Packet Inspection (DPI). When packets are captured, they are inspected and analyzed for many reasons, most of which relate to intrusion detection, data security and integrity, or network performance, although there are some nefarious purposes of packet capture. As a result, strong privacy concerns can arise when considering thorough packet capture and inspection.

When the analysis process needs to take place, it can happen immediately, as packets are actually moving across the interface so that packet capture and inspection software can make decisions. Alternatively, they can be stored on a computer’s hard drive indefinitely. In the case of real-time analysis, packets can only be evaluated against known security issues or problems, while when collected in storage, they can be analyzed later by data forensics specialists to help determine when or how a security breach has occurred.
There are a number of packet capture programs available. Some network hardware manufacturers include functionality in their devices, such as packet capture capabilities built into the Internetwork Operating System (IOS), provided on Cisco Systems® hardware. However, packet sniffers exist in many forms, from simple collection to more detailed analysis. Many of the most popular packet sniffers are open source software projects like Wireshark and WinPcap, which not only capture packets but also handle packet inspection and parsing tasks. They are updated frequently by a diverse community to keep up with the latest security issues.




Protect your devices with Threat Protection by NordVPN


Skip to content