PacketCache is a free Windows service designed to continuously monitor the network interfaces of a computer and store the captured packets in memory (RAM). The idea is to make full-content packets available for post-event incident response and network forensic analysis. PacketCache can be used either as a complement to solutions for centralized network packet capturing, or without any other network monitoring solution in place.
By default PacketCache reserves 1% of a computer's total physical memory for storing packets. A computer with 4 GB of RAM will thereby allow up to 40 MB of packets to be kept in memory. This might not seem like much, but PacketCache relies on a clever technique that allows it to store only the most important packets. With this technique just 40 MB of storage can be enough to store several days worth of “important” packets.
The “clever technique” we refer to is actually a simple way of removing packets from TCP and UDP sessions as they get older. This way recent communication can be retained in full, while older data us truncated at the end (i.e. only the last packets are removed from a session).
|Signed by:||Netresec AB|
Follow these steps to install PacketCache:
The easiest way to read packets from PacketCache is by using CapLoader:
Reading PacketCache with PowerShell
Alternatively, here's a simple PowerShell script that can be used to read packets from PacketCache:
Please note that PacketCache only provides data to users with local admin privileges, so you will have to run the PowerShell script as administrator in order to read the captured packets.
Reading PacketCache with Wireshark
It is also possible to read packets from PacketCache directly from Wireshark (version 2.3 or later required). Please read our blog post "Reading cached packets with Wireshark" for an in-detail description, or follow these steps:
Q: If packets are stored in RAM, will all historical traffic be lost when my computer is rebooted?
A: No, PacketCache is designed to dump the packets from RAM into an encrypted file upon reboot. This file will then be read back into RAM when the computers boots up again.
Q: Is it possible to allocate more than 1% of my memory for PacketCache?
A: Yes, when registering PacketCache.exe with sc, simply append a number as an argument to the PacketCache command. For example, in order to allow up to 5% of RAM to be used, register the PacketCache service like this:
Q: Is PacketCache free? Can I use this software commercially?
A: Yes, and yes. PacketCache is released under a Creative Commons Attribution-NoDerivatives 4.0 International License, which means that you can copy and redistribute PacketCache in any medium or format for any purpose, even commercially.
Please feel free to contact info[at]netresec.com or @netresec if you have any additional questions regarding PacketCache!