Free packet capture and analysis software
NetWitness Investigator provides view into application traffic
- By William Jackson
- Nov 17, 2008
NetWitness Corp. is making a version of its Investigator packet capture and analysis tool available as a free download beginning today, giving users a closer look at who is doing what on their networks.
Although the tool does not come bundled with the rest of the enterprise suite of which it is a part, it is not a limited version, said NetWitness CEO Amit Yoran.
'There is no functionality disabled,' Yoran said. 'This is a fully functional piece of technology.'
The free version of Investigator is available here
Yoran, a former cybersecurity official in the Homeland Security Department, said the Investigator tool is being released in response to growing problems with data security breaches, which appear increasingly to be conducted by organized criminals and nation states. The company acquired the technology about two years ago and decided that it could be used to fill gaps in enterprise security and forensics practices.
'We have enough momentum and experience to feel it is something we can do to help,' he said.
Government accounted for about half of the company's 2008 revenues and initial federal customer response to plans for making a version of investigator available for free has been positive, Yoran said.
Investigator captures raw packets and also imports packets from third-party capture systems for analysis.
'There are a number of network monitoring technologies out there,' Yoran said. 'They are mostly focused on the network layer.' But increasingly, 'it's the vulnerabilities at the application layer where the exploits are occurring.'
Investigator allows reconstruction of sessions at the application layer, working with constructs other than IP address to show where traffic is moving, who is using it and what it is doing. It also decodes the traffic into plain text.
Investigator is part of the NextGen enterprise suite of network monitoring and analysis tools the Informer reporting tool, Decoder, Concentrator and an API and software developer's kit. The primary difference between the free download and the enterprise version of Investigator is that the free version is limited to 25 collections at a time of 1G of data each. There are no limitations on data volume in the enterprise version.
How useful this amount of data will be depends on how the tool is being used. On a single server or a small section of a network, or if only specific types of traffic are being captured, the 25G total available could last quite a while, Yoran said. 'On an OC-12 gateway, you might have a couple of seconds.'
'This is not intended to be an enterprise infrastructure,' he said. 'It's a useful application' that can be integrated into an incident response workflow.
Minimum system requirements for the Investigator download are Microsoft Windows XP, 2003 Server or Vista 32 bit operating system, 1G of RAM (2G recommended) and one Ethernet port. Microsoft Internet Explorer Version 7 is recommended; earlier versions and limit some functionality.
William Jackson is a Maryland-based freelance writer.