PacketCache logo

PacketCache

PacketCache is a free Windows service designed to continuously monitor the network interfaces of a computer and store the captured packets in memory (RAM). The idea is to make full-content packets available for post-event incident response and network forensic analysis. PacketCache can be used either as a complement to solutions for centralized network packet capturing, or without any other network monitoring solution in place.

3 good reasons to run PacketCache

How PacketCache works

By default PacketCache reserves 1% of a computer's total physical memory for storing packets. A computer with 4 GB of RAM will thereby allow up to 40 MB of packets to be kept in memory. This might not seem like much, but PacketCache relies on a clever technique that allows it to store only the most important packets. With this technique just 40 MB of storage can be enough to store several days worth of “important” packets.

The “clever technique” we refer to is actually a simple way of removing packets from TCP and UDP sessions as they get older. This way recent communication can be retained in full, while older data us truncated at the end (i.e. only the last packets are removed from a session).

Product name: PacketCache
Latest version: 0.9.2.0
Download URL: https://www.netresec.com/?download=PacketCache
SHA256: 067CEEF6630C52DCA543D35D5F0327EFCA2108713EFC6E827A64A9724BDC04FE
SHA1: E7AF5D13FAFE0E1A2CC9DAE3C1285BC7B5D4601F
Signed by: Netresec AB

Installation

Follow these steps to install PacketCache:

PacketCache services in services.msc

Reading packets captured by PacketCache

The easiest way to read packets from PacketCache is by using CapLoader:

CapLoader's Read from PacketCache


Reading PacketCache with PowerShell

Alternatively, here's a simple PowerShell script that can be used to read packets from PacketCache:

$pipeStream = new-object System.IO.Pipes.NamedPipeClientStream '.','PacketCache','In';
$file = [System.IO.File]::OpenWrite('PacketCache.pcap');
try {
    $pipeStream.Connect(1000);
    $buffer = new-object byte[] 4096;
    $n = $pipeStream.Read($buffer, 0, $buffer.Length);
    while ($n -gt 0) {
        $file.Write($buffer, 0, $n);
        $n = $pipeStream.Read($buffer, 0, $buffer.Length);
    }
}
finally {
    $file.Close();
    $pipeStream.Dispose();
}

Please note that PacketCache only provides data to users with local admin privileges, so you will have to run the PowerShell script as administrator in order to read the captured packets.


Reading PacketCache with Wireshark

Wireshark reading from PacketCache

It is also possible to read packets from PacketCache directly from Wireshark (version 2.3 or later required). Please read our blog post "Reading cached packets with Wireshark" for an in-detail description, or follow these steps:

  1. Start Wireshark with admin rights (right-click > “Run as administrator”)
  2. Press: Capture > Options
  3. Click “Manage Interfaces...”
  4. Select the “Pipes” tab
  5. Press the “+” button to add a named pipe
  6. Name the pipe “\\.\pipe\PacketCache” and press ENTER to save it
  7. Press “OK” in the Manage Interface window.
  8. Press “Start” to read the packets from PacketCache

Benefits/Pros

USB broadband modem - Copyright Prolineserver 2010 (cc-by-sa-3.0)

Limitations

Frequently Asked Questions (FAQ)

Q: If packets are stored in RAM, will all historical traffic be lost when my computer is rebooted?
A: No, PacketCache is designed to dump the packets from RAM into an encrypted file upon reboot. This file will then be read back into RAM when the computers boots up again.

Q: Is it possible to allocate more than 1% of my memory for PacketCache?
A: Yes, when registering PacketCache.exe with sc, simply append a number as an argument to the PacketCache command. For example, in order to allow up to 5% of RAM to be used, register the PacketCache service like this:

sc create PacketCache binPath= "C:\Program Files\PacketCache\PacketCache.exe 5" start= auto

Q: Is PacketCache free? Can I use this software commercially?
A: Yes, and yes. PacketCache is released under a Creative Commons Attribution-NoDerivatives 4.0 International License, which means that you can copy and redistribute PacketCache in any medium or format for any purpose, even commercially.

Creative Commons License

Please feel free to contact info[at]netresec.com or @netresec if you have any additional questions regarding PacketCache!