Central PCAP Store

Central PCAP Store

In many networks there is a need to temporarily keep signaling traffic, e.g. to be able to analyze roaming issues, clear billing issues, etc. With the capture client and capture store one can capture signaling traffic on the network element or very close to it but store it on a central location. Storing it centrally allows to allocate storage only once, handle rotation/deletion in one place and in case of issues know where to fetch it from.

The capture client is using libpcap to capture the network traffic and capturing can be configured to use the syntax known from tcpdump. The role of the capture server is to authenticate clients and then to store complete pcap files to storage. The server supports a zeromq interface to inform about events (capture file rotation, client connect/disconnect) and to forward traffic for selected or all clients. The later can be used to do further analysis and maybe store the result of that in a database like Elasticsearch. The communication between capture client and capture server is TCP based and supports optional ciphering through TLS. TLS can be either the anonymous mode or based on X509 certificates. A picture can be seen below.

The capture client, capture server and an example how to use the zeromq interface has been released as Free Software and is available from github. The system is known to work on GNU/Linux and FreeBSD and ready to use packages are offered for Debian, Ubuntu, OpenSuse and CentOS.

 

pcap_server
Collect at the edge, collect and analyze