Wednesday, April 04, 2007

On Packet Logging and ... ehhh... Log Logging

Here is a weird one: what does capturing packets have to do with log management? While some people can spent hours debating whether something like an SNMP trap is, in fact, a log, few would consider PCAP files to be logs.

However, look at this recent PR piece from Sourcefire which introduces daemonlogger - a tool to efficiently capture packets (kind of tcpdump on steroids) - the piece does mention "logs" and "logging" (and even log management) way too many times.

What's up with that? Is logging cool again? :-) Or is somebody at Sourcefire thinking about logs? They do need to diversify, ya know...

1 comment:

Anonymous said...

@ Anton

Any captured network traffic may be considered a historical record i.e. log.

In addition, the captured network traffic can be “replayed” with a high degree of accuracy based on the timestamp recorded within the PCAP file.

That stated, I demonstrated a proof of concept to insert, modify a PCAP file as part of my presentation on "Defeating Network Intrusion Detection and Prevention" at RUXCON in 2005.

Dr Anton Chuvakin