Full Packet Logging & File Carving
MetaFlows' network malware detection software provides indexed packet logging to easily reconstruct what happened in your network past. The storage can be sized according to your average network throughput and the desired time horizon . For example, if your Internet traffic averages 100 Mbit/s and you want to look back up to 1 week, you can size your storage as:
100(Mbps)*3600*24*7(your time horizon)/8000000(Convert to TB)=7.560 TB
Our packet database is fast and easy to search because it is indexed. Interesting network packet traces (pcaps) can be downloaded within seconds using our UI or a Perl command line utility.
Besides returning the pcap, the system also performs file carving to dissect the content within the pcaps. This is an important analysis feature which allows you to close the loop on suspected downloads, payloads from exploits, or policy violations, and to categorically identify malicious behavior or data exfiltration activities.
The file carving system can be launched from the real-time or historical records in the Metaflows interface and will precisely select packet logs which contain data about the host(s) and event(s) in question.
The file carving operations will return a link to the raw packet trace that can be downloaded to the desktop for further analysis using external analysis tools such as Wireshark. It will also extract all known file types from the packet trace and attempt to render them through the browser (as a mouseover) or cliking directly on individual links. If the content in the pcap does not result in a known file type (for example an HTTP GET command), it will be shown as a raw flow that can be inspected or downloaded with extension .txt.