封包擷取是網路安全鑑識(Network Forensics)的第一個步驟,在確認網路安全鑑識系統能正確側錄所監控的網路封包之後,才能進一步去對封包所帶有的資訊做重整及分析。但是隨著網路頻寬日漸增長,除了在硬體上尋求更高價的設備外,亦可由系統軟體的設計去突破,以應付高流量的網路環境。因此如何在同樣的硬體設備和作業系統平台,利用分散式緩衝封包擷取架構(Distributed-Buffer Packet Capture Architecture)來減少封包遺失的情形,並藉此提高以Linux為基礎之網路安全鑑識系統的可靠度,益形重要。本研究在Linux環境下對自由軟體封包擷取函式庫Libpcap,進行封包擷取效能的提升。主要將會針對封包擷取過程中因緩衝區溢位(Buffer Overflow)而產生的封包遺失,提出更有效的系統設計,以期能達到改善封包擷取的效能,並利用封包遺失的比率來評估系統的效能。
Packet Capture is the first step in Network Forensics. We reassemble packets into network session and analyze the information in these network sessions, only after we could capture all the packets completely. With the increasing of network bandwidth, how to capture packets under high speed network and reduce packet loss happened has become an important issue. In this paper, we try to improve the performance of Packet Capture Library – Libpcap under Linux Operation System by adjusting Linux Kernel and new packet capture architecture – Multi-Buffer Packet Capture Architecture. And we implement this Multi-Buffer Packet Capture System and evaluate performance through the percentage of lost packets.