Packet capture (PCAP) is the act of capturing data packets crossing a computer network. Deep packet capture (DPC) is the act of capturing, at full network speed, complete network packets (e.g., header and payload) crossing a network with a high traffic rate. Once captured and stored, either in short-term memory or long-term storage, software tools can perform deep packet inspection (DPI) to review network packet data, perform forensics analysis to uncover the root cause of network problems, identify security threats, and ensure data communications and network usage complies with outlined policy. Some DPCs can be coupled with DPI and can as a result manage, inspect, and analyze all network traffic in real-time at wire speeds while keeping a historical archive of all network traffic for further analysis.
Typically, in order to configure a network device to perform PCAPs, one has to set up certain PCAP rules. Traditionally, setting up a remote packet capture is a manually intensive process that can only be run on the network devices with enough resources (e.g., CPU, memory, and storage) to do all the filtering and store the results on the machine where the PCAP is taking place. For example, an administrator must log into the device; the device must have a program to execute the packet capture; it must run the capture and store the results locally; and then, via a separate process, one must transfer the results (which may be large) from the remote device to a local device for additional analysis.
This may be difficult or impossible if the device does not have enough disk space to store the capture or the device is not remotely accessible. If one wants to run this process across multiple devices, for instance capturing across multiple access points (APs), she must repeat every step and then try to merge the results together. Finally, this process does not take place over a standard service, so accessing from remote devices may be difficult.