PcapDB is a distributed, search-optimized open source packet capture system. It was designed to replace expensive, commercial appliances with off-the-shelf hardware and a free, easy to manage software system. Captured packets are reorganized during capture by flow (an indefinite length sequence of packets with the same src/dst ips/ports and transport proto), indexed by flow, and searched (again) by flow. The indexes for the captured packets are relatively tiny (typically less than 1% the size of the captured data).
A PcapDB installation consists of a Search Head and one or more Capture Nodes. The Search Head can also be a Capture Node, or it can be a VM somewhere else. Wherever it is, the Search Head must be accessible by the Capture Nodes, but there’s no need for the Capture Nodes to be visible to the Search Head.
Hardware requirements depend greatly on the peak time capture rates of the network being monitored.
Capture rates listed below are for the peak-time-average traffic. For example, a deployment on a 10 Gb link sees an average of 3 Gb/s of traffic during the busiest part of the work week, though it does have momentary spikes of up to 10 Gb/s of traffic. For our purposes, this is a 3Gb/s network.
While PcapDB can technically run (in libpcap mode) using just about any network card, for best performance you’ll want a card compatible with the PFring ZC library and it’s custom drivers. Currently, the Intel X520 line of server adaptors is the most affordable option at around $300. Myricom cards are another, albeit more expensive, option.
PcapDB is designed to work on Linux servers only. It was developed on both Redhat Enterprise and Debian systems, but its primary testbed has so far been Redhat based. While it has been verified to work (with packages from non-default repositories) on RHEL 6, a more bleeding edge system (like RHEL/Centos 7, or the latest Debian/Ubuntu LTS) will greatly simplify the process of gathering dependencies.
sys_requirements.md contains a list of the packages required to run and build pcapdb. They are easiest to install on modern Debian based machines.
requirements.txt contains python/pip requirements. They will automatically be installed via ‘make install’.
To build and install everything in /var/pcapdb/, run one of:
make install-search-head make install-capture-node make install-monolithic
make install-search-head DESTDIR=/var/mypcaplocation
make install-capture-node DESTDIR=$(pwd). In this case, PcapDB won’t install system scripts for various needed components. You will have to run it manually, see below.
To make your life easier, however, you should work make sure the indexing code builds cleanly by running ‘make’ in the ‘indexer/’ directory.
Postgresql may install in a strange location, as noted in the ‘indexer/README’. This can cause build failures in certain pip installed packages. Add
PATH=$PATH:<pgsql_bin_path> to the end of your ‘make install’ command to fix this. For me, it is:
make install PATH=$PATH:/usr/pgsql-9.4/bin .
After running ‘make install’, there are a few more steps to perform.
The core/bin/post-install.sh script will handle the vast majority of the system setup for you.
You’ll also have to give it the search head’s IP.
/var/pcapdb/core/bin/post-install.sh [-c] [-s] <search_head_ip>
This will set up the databases and rabbitmq.
This is the main Pcapdb config file. You must set certain values before PcapDB will run at all. There are a few things you need to set in here manually:
You’ll need to create an admin user.
sudo su - capture ./bin/python core/manage.py add_user <username> <first_name> <last_name> <email>
You should be able to login with your admin account.
One more thing. You should install the drivers specific to your capture card for pfring-zc. The packages from NTOP actually build the drivers for your kernel on the fly when installed, though you may have to reinstall that package whenever you do a kernel update. Building and installing from source is also fairly straightforward.