Packet capture is quite simply the process of nabbing the packets of data that are traveling through a computer network. With a normal packet capture, only the auxiliary data contained in a packet's header, such as the address information or the Internet Protocol (IP) format of the packet, is collected. In the case of deep packet capture (DPC), the entire packet, both header information as well as the actual data payload, is acquired. The process is also often referred to as packet sniffing.
Whichever method of packet capture, the process can take place on any of the layers of the open systems interconnect (OSI) model above layer one, the physical layer, since the physical layer only works with bits in the form of electrical signals. Packet capture doesn't occur until those streams of ones and zeros are converted back into data packets that can then be gathered. Over any given network interface, collection can only happen for packets destined for the address belonging to that interface unless the interface is configured for what's known as promiscuous mode. A network interface acting promiscuously is capable of capturing not only its own packets, but those destined for others as well.
When a network administrator wishes to acquire the packets coming across a network interface, he has the option of a complete collection or a filtered collection. A complete collection has no boundaries, so any and all packets crossing the interface are grabbed. When filtering packets, however, they are evaluated as they traverse the interface and only certain packets that meet specific criteria are collected. This allows the administrator to store only the types of packets he's interested in or packets heading to certain addresses. Filtered collections also conserve hardware resources and can be used to round up packets that may be needed later to prove culpability.
There are many purposes behind packet capture, all of which revolve around the notion of deep packet inspection (DPI). As packets are acquired, they are inspected and analyzed for many reasons, most of which involve intrusion detection, data security and integrity, or network performance, though some nefarious purposes of packet capture do exist. As a result, strong concerns over privacy can arise when considering deep packet capture and inspection.
When the process of analysis needs to take place, it can happen immediately, as the packets are actually moving across the interface so that the packet capture and inspection software can make decisions. Alternatively, they can be stored on a computer's hard drive indefinitely. In the case of real-time analysis, the packets can only be evaluated against known security issues or concerns, whereas when collected in storage, they can be analyzed later by data forensics specialists to help determine when or how a security breach occurred.
There are numerous packet capture programs available. Some network hardware manufacturers include the capability in their devices, such as the built-in packet capture features in the Internetwork Operating System (IOS), provided on Cisco Systems® hardware. Packet sniffers exist in many forms, however, from simple collection to more detailed analysis. Many of the most popular packet sniffers are open source software projects such as Wireshark and WinPcap, which not only capture packets, but also handle packet inspection and analysis tasks as well. They are updated frequently by a diverse community to keep abreast of the most recent security issues.