stenographer

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets.
stenographer logo

Stenographer


Overview

Write packets to disk, very quickly (~10Gbps on multi-core, multi-disk machines) Store as much history as it can (managing disk usage, storing longer durations when traffic slows, then deleting the oldest packets when it hits disk limits) Read a very small percentage (<1%) of packets from disk based on analyst needs

Not designed for:

  • Complex packet processing (TCP stream reassembly, etc)
  • Reading back large amounts of packets (> 1% of packets written)

Querying


Query Language

A user requests packets from stenographer by specifying them with a very simple query language. This language is a simple subset of BPF, and includes the primitives:

  • host IP address (hostnames not allowed)
  • net network with CIDR
  • port port number (UDP or TCP)
  • ip proto IP protocol number 6 (or 1 for ICMP, 17 for UDP)
  • tcp equivalent to ip proto 6
  • udp equivalent to ip proto 17
  • Time additions: before, after, and relative times

Stenoread CLI

The stenoread command line script automates pulling packets from Stenographer and presenting them in a usable format to analysts. It requests raw packets from stenographer, then runs them through tcpdump to provide a more full-featured formatting/filtering experience. The first argument to stenoread is a stenographer query (see "Query Language" above). All other arguments are passed to tcpdump.





> Visit stenographer Website <
Best Search
Popular Tags