This feature is similar to a wiretap, only you are
tapping your own Internet connection. You can think of
it as attaching a tape recorder to your phone in order
to record your own conversations.
Caution: This feature saves all the network traffic
to the disk, even information that may be sensitive. For example,
many people use plain text passwords,
so capturing the network traffic will save them unencrypted
to the disk. See the advICE section on
sniffing
for more information.
There are three key points to remember with PacketLog:
- It is the only way to conclusively determine what exactly happened.
- It can eat up a lot of disk space and slow down your computer.
- The resulting information can only be interpreted by experts.
Video tape surveillance
The best way to illustrate the value of PacketLog is to understand
the difference between tennis referees and video tape instant replay.
The referees are usually good enough, but they aren't always right,
and you can argue with their calls. On the other hand, video tapes
are absolutely accurate.
In much the same way, the product sifts through information and tries
to retain only the most important bits. This works well in most cases,
but often more information is needed.
Therefore, if you are worried about absolutely diagnosing what happens,
then you turn on PacketLog (read the performance information below!).
In particular, if you are interested in prosecuting hackers in court,
PacketLog evidence is the strongest evidence you could have against a
hacker.
Performance issues
The reason PacketLog isn't turned on by default is that there are some
significant performance issues involved. The first issue is disk space:
all of the traffic is saved to the disk. Therefore, if you download a 10-megabyte
file from the Internet, you will need at least 10-megabytes in order to
record the capture. The second issue is performance: all your networking
traffic is being written to the disk all the time. This probably doesn't matter
for dialup lines and fast machines, but it can become noticeable on
faster Ethernet and cable-modem connections.
A third issue to remember is that in theory, logging all the network
traffic can fill up the disk drive. However, the PacketLog feature is
designed to create a "round robin" buffer. What this means is that it
reserves 10 logfiles by default. Once the tenth file fills up, it
starts over again at the first file, overwriting it.
Expert analysis
The log files are stored in Sniffer tracefile format. This
is the most common file format used by experts to record network traffic.
Network ICE does not provide utilities for analyzing the contents of these
file. Such utilities (called protocol analyzers) are fairly complex
and difficult to use. We intend for these logfiles to be sent to experts
who have the tools necessary to decode the traffic.
How to turn on PacketLog
The following animation demonstrates how to enable logging.
In this example, we've chosen to create a buffer of ten 1.4-megabyte
files. This creates a round robin buffer that always has
the last 14-megabytes worth of traffic. We typically recommend
this file size because they can be saved to floppy disk, though
in reality you'll probably e-mail such files or write them to
CD-ROM.
The above animation shows:
- Pull down the main menu
- Select "Configure"
- In the multi-tab dialog box that appears, select "Packet Log".
- Make sure the "Logging enabled" checkbox is checked
- Select a "Maximum size" for the files, in kilobytes. For example,
1400-kilobytes equals 1.4-megabytes.
- Select the appropriate "Maximum number of files" you want in the
buffer. The default is 10-files. This number multiplied by
the "Maximum size" determines the amount of diskspace the logging
will use. In this example, it will take up 10 times 1400-kilobytes, which
equals roughly 14-megabytes total disk space.
- Hit "OK".
Note
We are always interested in seeing logs from customers. It helps
us build a better product because we are able to compare the product's
output against real-life traffic from a wide variety of situations.
We have setup a mailbox "packetlog@networkice.com" to receive
customer submissions. This mailbox is totally automated and you
will not receive a reply. The logs get saved to a common library
that we use for testing the product against. The text of the e-mail
is saved along with the file, so descriptions do help. Our mail system
can only handle files of about 2-megabytes in size, others will be
rejected. Our automated system handles .zip files well, which can
compress these files to smaller sizes.
