PCAP Forensics
Evidence from before
the attack started.
Most capture tools start recording when detection fires. By then you've missed the first wave. Flowtriq runs a 500-packet pre-attack ring buffer continuously. When an incident opens, that buffer becomes the first section of your PCAP: traffic from before the threshold was crossed.
How It Works
The ring buffer captures what others miss
The FTAgent runs a continuous circular ring buffer that holds the last 500 packets seen on the monitored interface. It uses libpcap in non-blocking mode with a small per-packet overhead, keeping CPU impact under 0.5% on any modern server.
The moment detection fires, the ring buffer is frozen and flushed to disk as the opening section of a .pcap file. From that point, live capture continues until the incident resolves or 10,000 total packets are captured (whichever comes first).
On incident resolution, the complete PCAP is uploaded to Flowtriq's secure storage. You get a signed download URL valid for 15 minutes, directly from the incident page. Files are retained for 7 days (365 days on Enterprise).
SIZE 14.2 MB
PKTS 10,000 (cap reached)
DURATION 09:44:17 → 09:48:02
─── Sections ────────────────────
pre-buffer 500 pkts (pre-threshold)
attack 9,500 pkts (during incident)
─── Upload ──────────────────────
✓ Uploaded to secure storage
✓ URL valid 15 min (signed)
✓ Retained 7 days
$ wget "https://flowtriq.com/dashboard/pcap_download?token=...
_
Retention & Access
Plans and retention periods
| Plan | Retention | Max file size | Download method |
|---|---|---|---|
| Per Node ($9.99/mo) | 7 days | Unlimited | Signed URL · Console · API |
| Enterprise | Up to 365 days | Unlimited | Signed URL · Console · API · S3 export |
All PCAPs are stored encrypted at rest. Signed download URLs expire after 15 minutes. New URLs can be generated from the incident page at any time within the retention window.
- Encrypted at rest: AES-256 in Flowtriq's secure object storage
- Signed download URLs valid for 15 minutes, regenerable from Console
- Every PCAP download is logged in the immutable audit trail
- Compatible with Wireshark, tcpdump, Zeek, Suricata, and all standard tools
- Enterprise: S3-compatible export to your own bucket for long-term archival
FAQ
Common questions about PCAP
Does running the ring buffer affect my server's performance?
The pre-attack ring buffer uses libpcap in a separate thread with low-priority CPU scheduling. On a modern server, overhead is under 0.5% CPU and approximately 2–4 MB of RAM for the 500-packet buffer. It does not intercept or delay traffic in any way; it's a passive read-only capture.
What happens if the attack lasts longer than 10,000 packets?
The PCAP cap is a safety limit to prevent runaway disk usage during very long floods. The captured 10,000 packets (including the pre-attack buffer) contain more than enough forensic data to identify the attack source, type, and tooling. The incident remains open and statistics continue to be reported even after the packet cap is hit.
Can I trigger a PCAP capture manually without an attack?
Yes. The Flowtriq API and Console support on-demand capture for any node. Manual captures run for 30 seconds or 10,000 packets (whichever comes first) and are stored the same way as incident PCAPs.
Does PCAP capture work on virtual machines and containers?
Yes, provided the FTAgent has permission to open a raw socket (typically CAP_NET_RAW capability or root). On containers, this usually means running with --cap-add NET_RAW. The agent will warn on startup if it doesn't have sufficient privileges for PCAP and will fall back to statistics-only mode.
Related Features