Back in the U.S., service provider SBC Communications uses the NetVCR tool to monitor patterns of Internet activity across all the SBC regions, says Mike Russina, director of IP networks and system infrastructure at SBC's Internet division. The purpose is to understand network usage patterns, particularly with DSL, and monitor line availability. "Napster, for instance, has been out for about six months, and we want to know what impact it's having on our network," he says. He emphasizes that SBC is not storing or inspecting traffic content but is capturing just the 20 bytes of the packet header.
"I only need the source and destination and the type of traffic," Russina says, adding that a competing product, Network Associates' Sniffer, stores the entire packet content, thus filling up data storage very quickly. NetVCR, which comes with its own database, "can hold an unbelievable amount of data," Russina says, but the data is more ecoonomically held and easily analyzed.
According to Niksun's Paruthi, the Unix-based NetVCR is a protocol decoder that stores data it collects on disk or tape so it can look through terabytes of information.
"You can analyze the data in a variety of ways from link layer to application layer, break it apart and analyze the quality of service," Paruthi says.
The newer tool in Paruthi's bag of tricks, NetDetector, essentially adds a security alarm to the monitoring, putting the product in competition with intrusion-detection tools such as NFR Security's Network Flight recorder. "Theirs runs at 30 to 60 megabits per second, but this one runs at gigabit rates and can hold terabytes of information," he says.
Some network break-ins are so artfully done that hackers proceed carefully over a period of weeks to slowly carry out port scans or take over computers. "With NetDetector, you can replay and find out exactly how the hacker did that attack," he notes.
Paruthi admits NetDirector's intrusion-detection features are still fairly simple, so it would only set off an alarm for six types of attacks related to denial-of-service and other malicious activities.
"But it will show patterns very indiciative of malice, and this will be of help in forensic analysis or warning about specific behavior," he says.
Niksun is a member of the DDOS Consortium started by Yahoo, eBay, Schwab and others hit in February's mammoth distributed denial-of-service attacks, and eBay is expected to test the Niksun tools shortly.