Encapcap: Transforming Network Traces to Virtual Networks

Details

Abstract

Valid and complete network captures are a valuable source when detecting network based attacks and adversarial data exfiltration techniques like covert channels or performing network forensic investigation Also in training, testing, benchmarking and algorithm development, the availability of prerecorded, entire packet captures is eminent. Such a packet capture contains the entire packet stream with all incoming and outgoing network packets recorded over a defined period of time. Whereas a large number of recorded packet captures with well-known protocols from physical networks exists, the number of available files focused on virtual networks is low. Yet, virtual networks are taking on an ever greater role in modern environments. The creation of such network traces is a time-consuming and error-prone task, and the inherent behaviour of virtual networks eradicates a straight-forward automation of trace generation in comparison to common networks. In this paper we analyze relevant conditions of modern networks which hamper the generation of valid test captures and propose Encapcap, a tool that transforms given network packets stored in a capture file to virtual network packets. This improves the process of generating real-life packet captures for testing or training in virtual networks. We evaluate Encapcap with several experiments to demonstrate its correctness, usefulness and applicability.

Authors

• Daniel Spiekermann
  This email address is being protected from spambots. You need JavaScript enabled to view it.
  Polizeiakademie Niedersachsen
  Germany
• Jörg Keller
  This email address is being protected from spambots. You need JavaScript enabled to view it.
  FernUniversität in Hagen
  Hagen, Germany