Question on modules, decryption and packet capture


#1

Trying to understand the benefit of the three items mentioned in the title. Is there a partner resource that dives deeper into modules with possible use cases? Not just a chart showing what’s available, but an explanation of what benefit they offer? How do you know what’s needed in a given environment? For example, If you purchase Discover with base license, will it identify NAS traffic - CIFS/SMB? If so, what additional benefit does the “NAS module” provide?

I now see a packet capture module available for Discover. I thought Discover did not capture packets and a Trace appliance was required for packet capture?

Are there any sample use cases available for the SSL Decryption module?


#2

I think the short answer for modules and decryption has to do with L7 payload analysis (vs just protocol classification).

An Extrahop Discover Appliance (EDA) with the base license will classify NAS traffic (including CIFS/SMB and NFS), which lets you report on byte/packet counts and see the source/destination.

The NAS Module lets you see the content of those NAS conversations, which lets you report on:

  • how many discrete transactions (i.e. requests / responses) there are in that bidirectional stream of classified packets
  • what error codes are contained in the responses
  • how long the transactions take to complete - both the request/response transfer time, and the server processing time
  • isolate the network Round Trip Time for just NAS transactions on a machine (i.e. separate from an ‘all up’ network RTT for the whole File Server, which would also include traffic unrelated to it’s primary role of serving files)
  • other things

The idea behind SSL Decryption is similar: the EDA can’t pull the above details out of a conversation unless the conversation is being decrypted (or it’s already in the clear). Chances are the traffic in your environment with the highest analytical value for an EDA is being encrypted because it’s related to important business transactions.

The Extrahop Trace Appliance is a packet capture ‘easy button’ - because it’s continuously capturing everything you send it and it doesn’t require writing any policies (triggers) ahead of time. The Precision Packet Capture feature on an EDA lets you capture just the packets you want based conditions you specify in a trigger.

Precision PCAP Example from the Trigger API Reference:

// EVENT: HTTP_REQUEST
// capture facebook HTTP traffic flows
if (HTTP.uri.indexOf("www.facebook.com") !== -1) {
   var name = "facebook-" + HTTP.uri;
   //packet capture options: capture 20 packets, up to 10 from the lookback buffer
   var opts = {
      maxPackets: 20,
      maxPacketsLookback: 10
   };
   Flow.captureStart(name, opts);
}

Detailed Precision PCAP walkthrough here: https://docs.extrahop.com/current/walkthrough-pcap/


#3

The following part where it will have the following process that must be getting the perfect way to manage it so can’t load xpcom will able to proceed it.