Packet Continuum is massively scalable packet capture software that offers lossless packet capture, fast query retrieval, and real-time alerts. It can process, store, and search captured packets across a cluster of systems to build solutions for network security and performance analysis. NextComputing offers complete packet capture solutions by combining Packet Continuum software with high-performance hardware platforms in various form factors to suit different user needs. Packet Continuum provides deterministic guarantees for packet capture rates and analytics and can scale to accommodate capture speeds, custom alerting rules, and extended storage timelines.
1. Page 1 of 7 Rev 1.0b—10/15
INNOVATIVE, OPEN, MASSIVELY SCALABLE
PACKET CAPTURE SOFTWARE
Packet Continuum is a powerful, massively-scalable software
architecture that offers lossless packet capture, fast query retrieval,
and real-time event alerting.
With unique special features like in-line data compression and an open
architecture, Packet Continuum makes the most of your resources,
dramatically lowering the cost of creating long, rapidly-searchable
forensic capture timelines. Its ability to process, store, and search
across a cluster of systems lets you build the right solution for any size
network application for cyber security or performance.
NextComputing offers complete packet capture solutions by combining
the Packet Continuum software with high-performance platforms in
a variety of form factors (see last page for details). Whether you need
maximum density, space-saving compact systems, a unique portable
solution, or you want to utilize your existing infrastructure of commodity
servers, NextComputing has the perfect solution for you.
Federate multiple capture sites, anywhere!
Lossless Packet Capture, with
Deterministic Performance
Scalable, Lightweight, MapReduce
Cluster Architecture
Extended Forensic Timeline and Storage Features
Intuitive Web GUI and RESTful Interface
Real-Time Packet Analytics
User-Defined & Dynamic Critical IOC Alerts
2. Page 2 of 7 Rev 1.0b—10/15
Lossless Packet Capture, With Deterministic Performance
Packet Continuum provides a performance guarantee for a set of
real-time packet analytics functions, at a sustained lossless capture
rate, and a specified number of Packet Continuum cluster nodes.
This means a deterministic guarantee to capture every packet under
real world conditions, not just a “best effort” attempt. Conditions
of maximum network stress are key to discovering the hidden
performance problem or cyber security threat.
• Lossless packet capture from 1Gbps to 40Gbps
• Time stamping of 150 nanoseconds, using generic network
interfaces instead of expensive specialized capture cards
• Real time indexing, for efficient query and retrieval of retrospective
PCAP data
• Real time packet analytics, to generate Indicators of Compromise
(IOC) alerts
• Scalable architecture to meet your speed and/or analytics
requirements
• The ability to “federate” multiple cluster-based capture systems,
for global visibility and PCAP retrieval
Scalable, Lightweight, MapReduce Cluster Architecture
The Packet Continuum cluster-based architecture can scale up
smoothly to accommodate any combination of desired goals for
capture speed, custom alerting, and extended forensic timeline
creation.
• Scalable to multiple nodes; simply adding cluster nodes will
increase packet analytics capacity, sustained capture rates, and
(of course) storage capacity
• Packet processing is distributed to cluster nodes
• PCAP storage and index tables are distributed to cluster nodes
• Dynamic node management, including redundancy and hot-swap
/ expand
Extended Forensic Timeline and Storage Features
Packet Continuum offers
many features to lower the
cost of maintaining very long
timelines, on a massive scale.
• Overall storage
amplification up to
20x (depending on
percentage of traffic
with SSL encrypted or
compressed packet
payloads)
• Forensic timeline that
is scalable, distributed and searchable over days, and weeks,
depending on average capture rate
• Even for very long timelines, queries respond with stream-based
extracted packets, so analysis can occur in parallel with data
retrieval
• Massive queries over large timelines respond quickly, even as the
timeline increases
• Federated search across multiple Packet Continuum appliances at
diverse geographic locations, without any “concentrator” servers
as intermediaries
• Policy-driven packet capture in coordination with 3rd party
analytics solutions
Intuitive Web GUI and Restful Interface
Manage and control multiple devices and review a continuous log of
alerts, which auto-populate query requests, to drill down to find and
extract the PCAP files you need.
• A common interface across all platforms
• Log and metadata information visualization, search, and packet
viewing
• Manage multiple clusters and nodes as a federated system
• Remote access, automation, and control through your own choice
of analytics application and framework
3. Page 3 of 7 Rev 1.0b—10/15
Real-Time Packet Analytics
These packet analytics features are standard on all platform
configurations for Packet Continuum:
• Real-Time Indexing: Every packet gets a timestamp and 5-tuple
index, which includes IP address source/destination, port source/
destination, and protocol (IP, UDP, ICMP).
• Real-time Data Compression: In-line packet compression is
transparent to the user. All packets are compressed as they are
captured, and all extracted PCAP files are decompressed.
• Real-Time Indicator of Compromise (IOC) Events: Active Trigger
and Packet Analytics alerts generate event logs (or IPFIX records),
which appear within the web GUI as a scrolling window. Any alert
can be used to populate a BPF query to retrieve the associated
PCAP data.
• Open BPF Search: Run one or more simultaneous PCAP search
queries, based on a user-defined BPF descriptor (e.g. 5-tuples
within a time period). There is an active queue of waiting queries,
and all PCAP query results are streamed in “chunks”, the first of
which appear almost immediately after the query initiates.
• Streamed PCAP Results: All PCAP query results are streamed
in “chunks”, allowing partial results to be analyzed while the
remaining query is completed, the first of which appear almost
immediately after the query initiates.
User-Defined & Dynamic Critical IOC Alerts
Whatever Indicators of
Compromise (IOC) are most
critical for your application,
you may choose what you
need, and change them
dynamically. These packet
analytics features are options
which a user may turn on and
off as needed for optimal
performance:
• Active Trigger Alerts:
Multiple BPF-based event logging alerts can be established for a
“look forward” capability.
• Full Session IDs: Each complete session or connection can be
logged with a unique session ID, so that the requesting application
can collect data about network activity, and request a PCAP file for
any complete TCP session.
• RFC Anomaly Detection: Detect and log hundreds of “unusual
behavior” events which closely correlate to non-compliance with
IETF RFCs.
• File Logging for In/ Exfiltration: When Packet Continuum detects a
file attachment or transfer, it logs the event along with a standard
file hash identifier.
• HTTP Event Logging: Log HTTP sessions along with key metadata
like first URL.
• FTP/GridFTP: Log FTP sessions, along with key metadata such as
file hash.
• IPFIX Record Output: As an alternative to high-speed logs, IPFIX
standard data export is possible, allowing third party IPFIX data
collection devices to receive event data from Packet Continuum.
• Multiple Open BPF Searches: A specified number (more than one)
of open BPF searches can be run for simultaneous “look back”
searches of the historical PCAP repository.
• Custom Packet Analytics: NextComputing works closely with
OEMs and end users to implement specialized event detection,
metadata extraction, and session post-processing applications.
5. Page 5 of 7 Rev 1.0b—10/15
Incident Response Workflow: Human cyber investigation team at an end-user enterprise / agency
Incident Response Workflow: Automated and driven by OEM solutions and 3rd party tools
Use Cases
• Incident Response Workflow
• Event-to-PCAP Correlation
• Policy-Driven Packet Capture
• Automated File Detection
• Selective DPI Analytics
• Fast DPI Analytics
• Look-Back + Look-Forward
Actions
• Full Context PCAP Extraction
• Offload Resource-Intensive
Operations
• Entry-Level Platforms
• Adaptive PCAP Algorthms
Use Cases
• Incident Response Workflow
• Importing IoC alerts
• User-Created Scripts
• Data exfiltration
• Bring PCAP evidence to court
• Botnet Command-and-Control
activity
• Search for User anomalous
behavior
• Forensic traffic analysis
• Network Behavior Anomaly
Detection (NBAD)
• Integration of real-time threat
intelligence
• Encrypted Traffic analysis
6. Page 6 of 7 Rev 1.0b—10/15
All Packet Continuum platforms are cluster-ready, have a common REST/API and Web GUI, and federate together as a global system.
Enterprise-Grade Deployable Portable
Platform Type Enterprise Extreme Enterprise Enterprise Lite Deployable Extreme Deployable Enterprise Portable Portable Rugged
Purchase Options
• Integrated capture appliance or
• Option to purchase software license for deployment on customer-purchased enterprise-
grade servers, with license terms for platform specs, integration, support, etc.
Integrated capture appliance Integrated capture appliance
Support
Global hardware support direct from the enterprise-grade computer vendor,
software support from NextComputing
Full appliance support from NextComputing Full appliance support from NextComputing
Capture Interface
Options
• 2 x 10G ports
• 4 x 10G ports
• 4 x 1G ports
• 2 x 10G ports
• 1 x 1G ports • 2 x 10G ports
• 4 x 10G ports
• 4 x 1G ports
• 2 x 10G ports
• 1 x or 2 x 10G
• 4 x 1G fiber SFP+
• 1 x or 2 x 10G
• 4 x 1G fiber SFP+
Capture Rate
Options
• Up to 15Gbps aggregate
lossless capture rate,
with no cluster nodes
and basic packet
analytics
• Up to 20Gbps with 2+
nodes
• Up to 40Gbps with 6+
nodes
• Up to 5Gbps aggregate
lossless capture rate,
with no cluster nodes
and basic packet
analytics
• Up to 10Gbps with 2+
nodes
• Up to 20Gbps with 6+
nodes
• Up to 500Mbps
aggregate lossless
capture rate, with no
cluster nodes and basic
packet analytics
• Up to 1Gbps with 2+
nodes
Up to 40Gbps aggregate
lossless capture rate, with
no cluster nodes and basic
packet analytics
Up to 20Gbps aggregate
lossless capture rate, with
no cluster nodes and basic
packet analytics
Up to 20Gbps aggregate
lossless capture rate, with
no cluster nodes and basic
packet analytics
Up to 20Gbps aggregate
lossless capture rate, with
no cluster nodes and basic
packet analytics
Additional cluster nodes increase: capture rate, forensics timeline, and/or advanced
packet analytics
Additional cluster nodes increase: capture rate, forensics
timeline, and/or advanced packet analytics
Additional cluster nodes increase: capture rate, forensics
timeline, and/or advanced packet analytics
Forensic Timeline:
Master Node
PCAP storage of 20TB
physical, up to 400TB with
amplification
PCAP storage of 20TB
physical, up to 400TB with
amplification
PCAP storage of 40TB
physical, up to 800TB with
amplification
PCAP storage of 20TB
physical, up to 400TB with
amplification
PCAP storage of 10TB
physical, up to 200TB with
amplification
PCAP storage of 20TB
physical, up to 400TB with
amplification
PCAP storage of 20TB
physical, up to 400TB with
amplification
Forensic Timeline:
Cluster Node
PCAP storage of 100TB
physical, up to 2PB with
amplification
PCAP storage of 100TB
physical, up to 2PB with
amplification
PCAP storage of 100TB
physical, up to 2PB with
amplification
PCAP storage of 20TB
physical, up to 400TB with
amplification
PCAP storage of 10TB
physical, up to 200TB with
amplification
PCAP storage of 20TB
physical, up to 400TB with
amplification
PCAP storage of 20TB
physical, up to 400TB with
amplification
Forensic Timeline:
Max System
Capacity
28 nodes max, for total
PCAP storage of 2.8PB
physical, up to 56PB with
amplification
8 nodes max, for total
PCAP storage of 820TB
physical, up to 16PB with
amplification
8 nodes max, for total
PCAP storage of 820TB
physical, up to 16PB with
amplification
8 nodes max, for total
PCAP storage of 180TB
physical, up to 3.6PB with
amplification
8 nodes max, for total PCAP
storage of 90TB physical, up
to 1.8PB with amplification
8 nodes max, for total
PCAP storage of 180TB
physical, up to 3.6PB with
amplification
8 nodes max, for total
PCAP storage of 180TB
physical, up to 3.6PB with
amplification
Physical:
Master Node
4U rackmount,
31.59” (802.39mm) depth
2U rackmount,
26.92” (683.77mm) depth
2U rackmount,
26.92” (683.77mm) depth
3U x 20” (508mm) depth 2U x 17” (431.8 mm) depth Briefcase-size portable Rugged portable with
optional fold-out displays
Physical:
Cluster Node
2U rackmount, 26.92” (683.77mm) depth 3U x 20” (508mm) depth 2U x 17” (431.8 ) depth Briefcase-size portable Rugged portable