PCAP Capture and Storage

Packet capture (PCAP), also known as network packet capture, is the process of intercepting and logging traffic that passes through a computer network. When packets (data units) are transmitted over a network, they contain information such as the source and destination addresses, the type of protocol used, and the content of the packet.

A packet capture tool (such as Moloch or Arkime) captures these packets as they are transmitted through a network interface and saves them in a file for later analysis. Packet capture is a commonly used technique for network troubleshooting, performance monitoring, and security analysis. It allows network administrators to identify and diagnose issues such as network congestion, application errors, and security threats by inspecting real-time network traffic content or after an occurrence.

Feature Value

The ability to store incident PCAPs in the LogRhythm NDR database provides significant value to customers by enabling them to monitor and investigate network traffic to identify security threats and other issues. Storing the PCAPs allows customers to have a detailed record of all the network traffic that can be used for forensic analysis, troubleshooting, and compliance purposes.

By providing a configuration option to delete PCAP files from the database, customers can effectively manage the storage of these files, reducing the risk of data overload and ensuring that the database remains optimized for performance. This functionality enables customers to maintain the security and stability of their system, which is a critical aspect of any network monitoring solution.

The ability to store and manage PCAPs in the LogRhythm NDR database provides customers with enhanced visibility into their network traffic, which is crucial for identifying and mitigating security threats and other network issues.

Getting Started

For each case/incident, the LogRhythm NDR makes a REST API call to retrieve the relevant packet capture (PCAP) file. The API is called with specific parameter values, including the event UUID, entry source, and filename, to ensure that the correct file is retrieved.

Once the API call is made with the appropriate parameter values, the API returns the PCAP file associated with the specific event UUID, entry source, and filename. This functionality allows network administrators and security analysts to review specific network events captured by LogRhythm NDR for forensic analysis or troubleshooting purposes.

By providing this REST API functionality to its customers, LogRhythm NDR enables efficient and effective analysis of network traffic, enhancing the ability to detect and respond to security threats and other network issues.

REST API to get PCAP details

The URL endpoint provides the path to retrieve a specific PCAP file from Moloch, a network traffic analysis tool.

CODE

GET /getmolochpcap/{event_uuid}/{entry_source}/{filename}

The URL includes three main parameters, as follows:

Parameter	Description
{event_uuid}	A unique identifier that corresponds to a specific network event captured by LogRhythm NDR.
{entry_source}	The source of the security event. It corresponds to the PCAP file within Moloch, which can be a node in the Moloch cluster or an external source.
{filename}	The name of the PCAP file being retrieved.

Installation and Management

Installing Moloch version 2.4.2

To download the moloch_2.4.2-1_amd64.deb file from the specified URL in Ubuntu 20.04 using wget, enter the below command:
CODE
```
wget "https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/moloch_2.4.2-1_amd64.deb"
```
Once the package is downloaded, install the downloaded package moloch_2.4.2-1_amd64.deb in Ubuntu using the following command:
CODE
```
sudo apt install ./moloch_2.4.2-1_amd64.deb
```
This command assumes that the moloch_2.4.2-1_amd64.deb file is present in the current directory. The sudo command is used to execute the installation command with administrative privileges, while apt install is the command to install the specified package using the Advanced Packaging Tool (APT) package manager.
To configure Moloch (with administrative privileges), use the following command:
CODE
```
sudo /data/moloch/bin/Configure
```
The above command enables Moloch with interface monitoring, Elasticsearch settings, password encryption, and optional GEO file download.
Follow the prompts and refer /data/moloch/README.txt for further setup instructions.
You will be prompted to specify the network interface.
Enter the network interface name and click Enter to continue.
Initialize the Elasticsearch Moloch configuration by using the following command:
CODE
```
/data/moloch/db/db.pl http://<ip>:9200 init
```
Change Elasticsearch to the tunnel IP address of that node in sudo nano /data/moloch/etc/config.ini.
Create an administrator user account for Moloch with the following command:
CODE
```
/data/moloch/bin/moloch_add_user.sh admin "Moloch SuperAdmin" <password> --admin
```
The Moloch service must be started immediately.
To start the molochcapture service and enable them to start the system reboot, use the following command:
CODE
```
systemctl enable --now molochcapture
```
To check the capture log, run the following command:
CODE
```
sudo tail -f /data/moloch/logs/capture.log
```
To check the Moloch version, run the following command:
CODE
```
/opt/moloch/bin/moloch-capture --version
```
For further details on how to install the packet capture tool, see https://www.howtoforge.com/how-to-install-arkime-full-packet-capture-tool-on-ubuntu-20-04/.

Moloch Dependency - Deprecation of Shared Library

Ubuntu 20.04 does not include libssl.so.1.0.0 by default, as it has been deprecated and replaced with newer versions of OpenSSL.

However, there are a few ways to install this library on Ubuntu 20.04. Two options are mentioned below:

Option 1: Install from a Package Repository

Add the Ubuntu 18.04 (Bionic) repository to your system by running the below command:
CODE
```
sudo add-apt-repository deb "http://security.ubuntu.com/ubuntu" bionic-security main
```
Update the package list with this command.
CODE
```
sudo apt-get update
```
Install the libssl1.0.0 package.
CODE
```
sudo apt-get install libssl1.0.0
```

Option 2: Download and Install Manually

Download the libssl1.0.0 package from the Ubuntu 18.04 repository.

CODE

wget "http://security.ubuntu.com/ubuntu"/pool/main/o/openssl1.0/libssl1.0.0_1.0.2n-1ubuntu5.6_amd64.deb

Install the package.

CODE

sudo dpkg -i libssl1.0.0_1.0.2n-1ubuntu5.6_amd64.deb

An older version of OpenSSL can pose security risks, as newer versions include bug fixes and security patches. A newer version of Moloch must be used that is compatible with the latest version of OpenSSL.

Enabling PCAP

To enable the PCAP feature in LogRhythm NDR, do the following:

Log in to LogRhythm NDR.
Click the Settings tab and then click Policy Management.
Select Feature Configuration.
Click the checkbox corresponding to the PCAP Enable option.
Click the Update button to enable the PCAP feature and update the change in the database.

Enabling the PCAP feature through the user interface provides customers with the ability to capture and store packet capture data in the LogRhythm NDR database. This empowers them to investigate network traffic, identify security threats, and address other network-related issues. By offering a simple and straightforward method to enable this feature, LogRhythm NDR enables its customers to maximize the effectiveness of their network monitoring solution.

Managing PCAP

The PCAP files are efficiently stored in the pcap_files PostgreSQL database. The pcap_files schema table has four columns, as follows:

Column	Description
`uid`	This is of the type `UUID` and has a default value of `gen_random_uuid()`, which generates a random UUID. It serves as the primary key for the table.
`name`	This is of the type `TEXT` and stores the name of the file.
`bin_data`	This is of type `BYTEA` and stores binary data.
`created_on`	This is of type `TIMESTAMP WITH TIME ZONE` and is set to the current timestamp with time zone by default, using the `now()` function. It is marked as `NOT NULL;` meaning, a value must be provided for this field during insertion.

The PCAP files are stored under a binary column named bin_data with the BYTEA data type. This storage method allows the efficient handling of huge files. The PCAP files are divided into smaller files and stored as binary data within the 'bin_data' column. This setup enables optimized storage and retrieval of PCAP files within PostgreSQL.

To ensure secure transmission and storage, a TLS (Transport Layer Security) encrypted connection can be established. In the configuration, the TLS encryption (ProbePGTLSEnabled) can be enabled or disabled by setting it to true or false, respectively.

If the TLS encryption is disabled (false), authentication is established with a username and password.
If the TLS encryption is enabled (true), authentication happens with the help of SSL certificates along with the username.

Frequently Asked Questions

Some of the most frequent questions are detailed in this section for better clarity.

FAQ	Answer
Is there a reason why some incidents or cases have a PCAP while others don’t?	The availability of PCAP details in specific incidents or cases can be determined by two key factors: The capture capabilities of the Moloch system and The presence of a community_id associated with the corresponding security event. LogRhythm NDR employs the Moloch software to generate PCAP files for its security events. However, the population of PCAP details is contingent upon the existence of a community_id for each security event. The underlying technical process involves performing a search for the community_id of a given security event within the Moloch indices. This search aims to identify a matching entry that corresponds to the specific security event being analyzed. Once a matching community_id is found, the raw PCAP file associated with that particular security event is processed. This processing typically involves extracting and cropping relevant packets from the raw PCAP file to isolate the PCAP file specific to the identified security event. Through this, LogRhythm NDR ensures that the resulting PCAP file contains only the network packets relevant to the analyzed security event. The availability of PCAP details in LogRhythm NDR's workflow depends on the capturing capabilities of the Moloch system and the presence of a community_id, which is used as a reference point to identify and process the appropriate PCAP file associated with a given security event.
Do we collect PCAPs on events generated from distributed analytics engine? If we do not, what is the reasoning?	We collect PCAPs for events generated from our distributed analytics engine. If an event has a community_id associated with it, we will provide PCAPs if the required PCAP data is available in the raw PCAP file.
Is there a default size for the PCAPs that are created?	When creating PCAP files, there is no default size specified. However, it is worth noting that in PostgreSQL, the maximum size for a BYTEA column is 1 GB. This implies that the bin_data column in the pcap_files table can accommodate binary data up to 1 GB. It is important to consider this limit when storing binary data in the bin_data column.
How does the system know when to start and stop recording?	In LogRhythm NDR, we utilize the Moloch software to capture packets. To initiate packet capture, we employ the molochcapture.service, which starts capturing packets immediately upon service startup. Similarly, when the service is stopped, packet capture ceases as well. LogRhythm NDR leverages the molochcapture service to generate incident PCAP files. These files are created by extracting the required packets from the larger raw PCAP files captured by the molochcapture service. The cropping process is facilitated by utilizing the packet positions stored in the indices created by the molochcapture service.
Is there a default maximum size of PostgreSQL database that the system will save PCAPs in before it begins to overwrite the data?	In PostgreSQL, there is no default maximum size set for a database that would trigger automatic overwriting of data. The size of a PostgreSQL database is determined by the available storage space on the system where the database is hosted. As long as there is sufficient storage capacity, the database can continue to store data without overwriting it. Insufficient storage capacity in PostgreSQL can lead to insertion errors, transaction failures, database corruption, and performance degradation.
What is the lifecycle of the PCAP files, so that we can come up with a procedure to retrieve them before they are unavailable?	The lifecycle of PCAP files in LogRhythm NDR is determined by the configuration values (IncidentPcapTimeRange and CasePcapTimeRange) set in the database for automatic PCAP deletion. The system provides two mclis, "incident-pcap-deletion" and "case-pcap-deletion", which handle the automated deletion of PCAP files. These mclis utilize time ranges specified in the global_config collection of the database to determine which files to delete, ensuring efficient management of PCAP storage.