Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

handling 150mb pcaps

i'm looking for feedback or best practices, or just approaches the community takes with dealing with a whole days worth of pcaps. i'm using security onion. it collects full packet captures for 2 LANs x.x.x.x/21. A lot of traffic. It collects 150MB per packet.

what does anyone do when trying to sift, coordinate, 'get the ful picture.' Currently I am using IDS tools to find a specific time to investigate with the pcap, but i'm doing them one by one. what if you want to expand to an hour of traffic? what if you wanted to look for a trend in traffic that would not be noticed in individual pcaps? how would you handle information for a stream that extends out of the 150mb limit?