The ability to capture, archive, search, and retrieve network traffic is essential to cybersecurity investigative processes. Unfortunately, existing capture processes have not scaled as readily as network speeds. The difficulty is not in the initial capture and archival steps, but in searching and retrieving packets from the massive amount of captured data. Various solutions have tried to alleviate this problem with various indexing methods, but the end result is still an inefficient and tedious process given the storage medium.
FIG. 1, for example, is a flow diagram 100 illustrating a conventional process for capturing packets. In this process, packets are retrieved from an interface at 105, and stored in memory at 110. Although potentially optional, indexes are built identifying what traffic has occurred at 115. These packets and indexes are then written to a disk at 120. In the conventional packet capture process, the packets must be retrieved from the interface and processed fast enough to prevent the kernel or interface from dropping the packets. While this process has relatively low intensity with respect to the central processing unit (the “CPU”) and memory, the sustained disk writes, combined with random access reads from search and retrieval, place a significant strain on the system disk input/output (the “I/O”).
Thus, an alternative approach for capturing packets may be beneficial.