Timemachine 20080814-0

Timemachine can record the entire contents of a high-volume network traffic stream.
Timemachine project is a joint project of the Technische Universität Berlin, the Technische Universität München, and the ICSI (University of California Berkeley). It is open-source and published under the BSD license.

There are times when it would be extraordinarily convenient to record the entire contents of a high-volume network traffic stream, in order to later "travel back in time" and inspect activity that has only become interesting in retrospect. Two examples are security forensics-determining just how an attacker compromised a given machine-and network trouble-shooting, such as inspecting the precursors to a fault after the fault.

To perform this task efficiently, the packets are first stored in a ring buffer in the memory (RAM), later the packets are copied to (hard) disk. This allows the timemachine to smoothen capture bandwidth peaks in memory and store huge amounts of traffic on disk, covering several days of network traffic. The timemachine is designed to work in Gbps environments.

Since it is not feasible to capture the complete load of a fully utilized Gbps link to disk, the timemachine utilizes a mechanism called "connection cutoff" to reduce the the amount of data to process. This "connection cutoff" only records the first X bytes of every monitored connection (identified via the 5-tupel of source and destination IP and Port and the transport protocol). Indeed this approach it does not impair the analysis capabilities (unless the cutoff is set to low) because most of the "interessting" data is located in the first few packets of a connection. The effiency of this approach comes from leveraging the heavy-tailed nature of network traffic: because the bulk of the traffic in high-volume streams comes from just a few connections.

To take full advantage of this recording it is import to be able to quickly locate certain packets. For example one might be interested in all packets of a specific connection or all packets from one IP address. This is achieved by indexing stored packets. The indexes to create can be specified, for example one could create indexes for the connection 5-tupel, for IP address pairs, for IP addresses, etc. One can than issue a queries for a specific index to the timemachine and the timemachine will lookup the query in its index and will return all stored packets matching the query.

It is planned to add a feature that will enable the timemachine to directly interact with the Bro intrusion detection system (www.bro-ids.org). Thus the Bro system can request certain packets or connections from the timemachine.

What's New in This Release:

· The=is release greatly improves performance.
· It can interface with Intrusion Detection Systems, and logging facilities have been extended.

last updated on:
August 14th, 2008, 20:24 GMT
license type:
BSD License 
developed by:
Joint Project of TU Munich, TU Berlin,...
ROOT \ System \ Networking
Download Button

In a hurry? Add it to your Download Basket!

user rating



Rate it!

Add your review!