SCADAfence Network Capture Tool
The SCADAfence Network Capture Tool is a new tool we’re providing to the community as free and open source (under the GPLv3 license), for both Linux and Windows operating systems.
The tool is a lightweight wrapper for network capture and compression applications that allows capturing of traffic in high bandwidth networks, with no limits on the file size or the duration of capture.
What makes this tool special?
We’ve tried using many tools, and our customers have tried as well. Wireshark, for example, might crash/stop while capturing high bandwidth OT/IoT networks. Wireshark also has problems with too many open files handles that can cause it to crash. In addition, its output files aren’t compressed.
Other tools name the files in a way that can’t be used by automated systems. They also produce files that are too big to open with Wireshark, they don’t have timestamps and suffer from additional issues that we’ve encountered.
This tool was created in order to save you time since it has been developed by people who use it for the same use case as what you need it for (see list of use cases below). We have used this tool to capture high bandwidth OT & IoT network traffic continuously for months.
The Tool’s Main features:
- Simple command line interface
- Textual log of capture into a log file
- Status updates every 10 seconds – How many files have been captured/compressed and error reporting
- Separates the files to 100MB each (before compression), to allow opening it with Wireshark without RAM issues
- Supports very high network bandwidth
- Names the files in a way that can be easily understood humans and machines, which includes file number (so that the order won’t be lost) and a timestamp: sniff_00001_20170828132202.pcap.gz
- Automatic parallel gzip compression of the pcap files, in a way in which the capturing doesn’t stop while compressing
- Standard pcap file format – can be opened with Wireshark or any other application that supports the pcap file format
- Free and open source – You can extend/change the code as you wish
- Low CPU/RAM footprint, can run reliably for months
The tool’s main use cases:
- Capture traffic for testing with products utilizing Deep Packet Inspection such as SCADAfence Platform Sensors
- Capture traffic during a cyber incident to gather evidence or allow researchers to look at full raw packet data
- Capture traffic in order to understand which protocols you have in your network
- Capture traffic in order to investigate networking issues
The tool can be used in industrial/IoT networks or in any other type of network.
I’m very happy that we’re able to provide a free, entry-level tool for people that are just starting out their journey into OT/IoT network security monitoring, and I hope this tool will be of help to you.
To Get the Network Capture tool for free, please click here: