Why Collect Full Content Data?
I recently received the following via email: I am writing a SANS Gold paper on a custom full packet capture system using Linux and tcpdump. It is for the GSEC Certification, so my intent is to cover the reasons why to do full packet capture and the basic set up of a system (information that wasn't readily available when setting my system up)... I am already referencing The Tao of Network Security Monitoring . These are the questions that I came up with based on questions other peers have asked me... Here are the questions, followed by my answers. Most of this is covered in my previous books and blog posts, but for the sake of brevity I'll try posting short, stand-alone responses. As an information security analyst in today's threat landscape why would I want to do full packet capture in my environment? What value does have? Full content data or capturing full packets provides the most flexibility and granularity when analyzing network-centric data. Unlike vario