Capture

From Computing and Software Wiki

an IDS should use some methods to capture the relevant data to be analyzed.

pcap consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library(packet capture library); Windows uses a port of libpcap known as WinPcap.

Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network and, in newer versions, to transmit packets on a network at the link layer, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.

libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format.

libpcap and WinPcap provide the packet-capture and filtering engines of many open-source and commercial network tools, including protocol analyzers (packet sniffers), network monitors, network intrusion detection systems, traffic-generators and network-testers.

gets the data from the data link layer

(and from each layer that you get your input, you can go from that layer all the way up)

packet capture library:

- data link layer

- fire wall

filters apply to data so that you can sniff what you want.

ex:

- everything but UDP

- all packets going through TCP and usnig port 80