Overview

The USC10G3 provides full wirespeed packet capture up to 10Gbps and its uses are numerous. Whether deployed in corporate, banking, healthcare, university or government settings, the USC10G3’s secure and flexible operation aids in the management, auditing and troubleshooting of data networks, easing the workload and increasing the effectiveness of busy IT network administrators. An indispensable cybersecurity and diagnostics tool that reduces the time-to-resolution of network events, the USC10G3 remains effective and relevant for the long-term, through and beyond the development of new malware variants and hacking techniques.

Combining 2 10-Gbps ports, 4 1-Gbps ports and 24 TB continuous-loop storage with ease of use, the USC10G3 is a packet capture powerhouse with extreme flexibility, capable of monitoring up to six networks in dedicated SPAN/mirror mode and up to three in inline mode (read a comparison of inline and SPAN capture). A peak capture speed of 10 Gbps and minimum sustained capture speed of 5 Gbps (at 6 million packets per second) ensure reliable, full capture of every packet header and payload.

The USC10G3 is truly operational straight out of the box: connect it to the network, power it up and it automatically starts passing and recording traffic – no configuration required. Launch the supplied Windows-based menu-driven management utility when ready and answer the simple questions to retrieve data or check status (management utilities for Linux environments). The USC10G3 is technology at its best: it handsomely fulfills a complex task, has broad usability and integrates easily into the existing network environment. Its key features include:

• A sustained recording speed of 5 Gbps @ 6,000,000 packets per second (5.925 Gbps including overhead) and peak speed of 10 Gbps ensure you capture every packet, every time.*
• Automatic / manual bypass ensures continued network operations even in the event the appliance loses power or malfunctions.
• GPS time synchronization enables extremely accurate timestamping, with a precise resolution of 1/1,000,000 of a second.
• 24TB integrated continuous-loop deep packet capture with 20,000-bit encryption for long-term, secure storage of large amounts of network data allows the retention of real historical network traffic, crucial for contextual analysis and network management.
• Retrieve packet capture data by date, time, IP address and MAC address, locally or remotely without taking the appliance offline.
• A stealthy network profile hides the USC10G3’s presence on the network for extra security and ease of installation.
• High-speed capture-to-disk with on-the-fly packet indexing for quicker data retrieval.

GPS time synchronization ensures that the data captured by the USC10G3 is accurately timestamped, which, along with high-resolution timestamping to one one-millionth of a second, enables exacting event reconstruction and assists in the forensic analysis of the data. For additional data management and analytics features, the USC10G4 integrates with our management and analytics server.

Like all our IPCopper packet capture appliances, the USC10G3 incorporates robust security features in its compact, stylish package, including electronic invisibility, encryption and physical access controls, as well as a tamperproof metal enclosure.

*How we tested the USC10M2's speed: We conducted two tests, using a separate IPCopper unit to create a sampling of 2 billion UDP packets with 64-byte payloads. For the first test the USC10M2 was in inline mode (both receiving and sending). We observed that the packets were received by the test unit, correctly sequenced, and subsequent analysis of the captured data showed that the packets were encrypted, indexed and stored in the correct sequence. For the second test, the USC10M2 was placed in SPAN/mirror mode (receiving only). With both tests we observed zero errors and also observed that the count of good packets matched the total number of packets sent. During testing we observed that the unit was able to successfully capture, forward, encrypt, index and store over 6 million packets per second, with an observed, sustained storage rate of up to 5.925 Gbps (including timestamps and other overhead) and a useful payload of over 5 Gbps (including headers for ARP, IP and UDP).

Bypass

With any network appliance there is always the niggling, unwelcome question of "how big a headache will I have if it fails?" The USC10G3’s bypass handily answers this question in the most delightful way. In the event the USC10G3 loses power or otherwise malfunctions, it will automatically switch into bypass mode and continue passing traffic, even if it isn’t able to record it. In effect, the USC10G3 removes itself from the network without any user effort required and without any damaging disruption to network operations.

Bypass mode creates exciting possibilities for deployment. You can deploy it on critical links where you need 24/7 or only occasional visibility, yet be assured that if the worst happens and the appliance fails or someone unwittingly unplugs it from power, the network will continue to function. At worst, the unit won’t be able to capture anything, but it won’t bring a halt to network traffic.

Bypass mode gives you great flexibility, allowing the USC10G3 to be placed proactively at any network location that you may want to monitor in the future, or only monitor intermittently. You can also manually turn bypass mode on and off, as needed, without sacrificing security due to our patent pending technology that allows remote access via an encrypted connection.

In the case of loss of power, bypass mode kicks in practically instantaneously, allowing the USC10G3 to pass network traffic even if it is OFF. In the event the unit malfunctions, a watchdog timer ensures that the port pairs switch over into bypass mode to prevent network interruptions. Depending on the particular packets passing through at the time, it may take one to six seconds for the switch to take effect after a malfunction – ranging from unnoticeable to little more than a hiccup for most equipment communicating along the network path.

Secure OS

We built our secure operating system from the ground up, with a focus on data security, speed and accuracy of capture. The proprietary multi-core software powering the USC10G3 runs in parallel directly on the IPCopper hardware.

With Packet Capture, Speed and Accuracy Go Hand in Hand

It goes without saying that the USC10G3 captures packets exactly as they arrive, in their entirety. Just as important are the speed of processing and accuracy of timestamping. Accurate timestamping is fundamental to accurate packet capture, and accurate timestamping is one of the things that sets IPCopper apart. The USC10G3 can capture, relay, encrypt and record a minimum of 6,000,000 packets per second. While others may operate on a scale of milliseconds, IPCopper OS operates on a nano scale.

The unnecessary overhead generated in other systems results in lost accuracy, skewed timestamping, diminished performance, increased heat generation and, ultimately, lost packets.

IPCopper’s operating system, on the other hand, is like a well-tuned orchestra. Many things are taking place simultaneously, yet are synchronized in a highly precise fashion to deliver optimal performance and accuracy in a compact, power-efficient package.

And Don’t Forget Security

When capturing network traffic, you don’t want to create an open treasure trove of data for anyone who may be browsing. Therefore, during the capture and record process, the USC10G3 also encrypts the captured data twice, using a very long key, before writing it to disk. Additionally, the unit features a stealthy network profile that keeps its presence invisible on the network and safe from prying eyes.

So, what makes our IPCopper OS secure? Simple: the weakness in using other operating systems as platforms for packet capture (and other dedicated tasks), is the necessity of eliminating many unwanted functions so that they are not accessible to hackers, but without destabilizing the system. This is a challenging, if not impossible, task. In the case of IPCopper OS, we have a purpose-built system, with the purpose being secure performance.

GPS Time Synchronization

Keeping accurate time is a challenge on even the most modern computing and networking equipment, primarily due to the tendency of computer clocks to drift. Even if a computer clock is accurate to 30/1,000,000 of a second, after one million seconds the clock will have drifted 30 seconds (the specification for HPET 1.0 — high precision event timers — which are used in modern computers, expects drift of less than 500/1,000,000 seconds). In computing, keeping clocks synced is a constant task.

The IPCopper USC10G3 includes a very accurate GPS-powered timestamping system that allows for a timestamp resolution of 1/1,000,000 of a second. Accurate time is important when examining packet capture data or reconstructing network events forensically, therefore, it is important to know exactly when a packet arrived – not simply within a minute or two.

The USC10G3’s GPS time sychronization is fully automatic. Simply hook up the included external antenna and the unit will synchronize its time with the broadcast GPS time every time it boots up. If for whatever reason GPS time synchronization is not desired, simply disable it either for one boot cycle or permanently. The USC10G3 comes with a high accuracy clock. Our tests of a live IPCopper unit showed that the clock was off by less than 1½ seconds after 20 weeks. That is equivalent to a drift of 0.125/1,000,000 seconds. The best strategy to keep the clock accurate is to allow the IPCopper unit to resynchronize with GPS time at regular intervals, to avoid deviations over time.

Data Retrieval

The USC10G3 is accessible via Ethernet using the management utility for data retrieval and status checks.

Accessing the USC10G3 is satisfyingly simple, even though the unit does not have its own IP or MAC addresses. Instead, it relies on patent-pending technology that enables secure access via an encrypted, disguised connection, using the supplied Windows utility and its simple instructions — all the while the unit remains hidden from digital prying eyes.

The unit also incorporates a manual security feature, by means of the retrieve button on the front panel. Until retrieve mode is engaged by pressing the retrieve button, the unit will not respond to any management commands. This gives you very close access control for when you need the extra security. It also provides flexibility when remotely deploying the unit; if you need to access a unit remotely because it is in an unmanned location, you can permanently engage retrieve mode using the management utility.

During data retrieval sessions, the USC10G3 continues to operate as normal, recording all the packets passing through. It also keeps a log of access requests, if needed for later review.

The standard management utility that comes with your IPCopper packet capture appliance is a Windows-based menu-driven utility that allows for easy data retrieval for general users through a Q&A session. The utility may be customized for deployment in a Linux environment.

For additional data management and analytics features, the USC10G4 integrates with our management and analytics server.

Security

When recording anything, you want ensure that you keep control over the data. IPCopper has you covered, in a multitude of ways:

• The units are permanently sealed when they ships to you in tamperproof, all-metal enclosures. They can only be opened with power tools — a simple, innocuous screwdriver won't cut it.
• The captured data is dually encrypted using a 20,000 bit key. The key is located on a removable USB stick, which must be present at power on or the unit will not boot up (however, absence of the key will not affect bypass).
• The unit keeps a log of all access requests and status checks from the management utility.
• All communications between the unit and the management utility are encrypted. Even if communications between the unit and the management utility are intercepted, they are disguised to appear as ping or other mundane traffic.
• The unit is electronically invisible, with a stealthy network profile. What that means is that the unit acquires neither IP nor MAC addresses; you cannot ping it or elicit a response from the unit except through its management utility.
• You may assign an IP address to a specific port when it is configured as a management port, however, even then the unit will not respond to any communications except for those from the management utility or ARP requests.

Support

Manuals and Documentation

• USC10G3 Product Manual
• USC10G3 Datasheet

Suggestions for Deployment

IPCopper packet capture appliances may be deployed in a variety of locatons around a network. Where you should place your unit depends on the type of network traffic you intend to capture.

• A very common location is at the perimeter of the network, where the internet connection(s) come in from outside. Placement may occur on either side of the firewall. If placed before the firewall (i.e., between the firewall and the public internet), the IPCopper appliance will capture all traffic directed into the network, including activity that the firewall would filter out, as well as all traffic leaving it. If placed after the firewall (i.e., between the firewall and the rest of the network), the appliance would capture all inbound internet traffic allowed through the firewall and all outbound traffic.
• IPCopper packet capture appliances may also be placed between a network asset and the rest of the network. In this fashion, the IPCopper appliance would capture all internet/network traffic between the network asset and the rest of the network.
• For monitoring a workgroup, you could place the IPCopper packet capture appliance between the router to which the workgroup is connected and the rest of the network, however, with the router in between the appliance and the member computers of the workgroup, the MAC addresses of the individual computers would obscured. To capture the MAC addresses, place the appliance with the router on one side and a switch connecting to the individual workgroup members on the other.
• For comprehensive monitoring that would enable panaoramic forensic analysis, place IPCopper packet capture appliances at several locations around the network: at the perimeter, in front of network assets and in front of workgroups.
• Inline vs. SPAN/mirror deployment
• Management utilities for Linux environments

General Installation Instructions

1. Connect Ethernet cables.
2. Insert external key (Note: you must use the key that came in box with unit — the key is mated to the unit it comes with and is not interchangeable with other IPCopper keys).
3. Connect power. The appliance will boot up automatically. During boot up, the unit will synchronize its time to GPS time, indicated by the flashing green GPS light (the closer it is to completing synchronization, the more rapidly the LED blinks). To forego GPS time synchronization at boot up, press the RET button while the green GPS light is blinking. When the green REC light illuminates steadily the unit is fully operational.

It is highly recommended to connect the unit to power via a UPS (uninterruptible power supply) and/or surge protector for protection against power spikes and other fluctuations in the electrical grid.

Troubleshooting

Error light is illuminated.

• Re-boot the unit by pressing the reboot button.
• Turn off the unit, change the power cable and/or connect to a different power outlet then re-boot.
• Change the Ethernet cables and re-boot the unit.
• Disconnect all Ethernet cables and re-boot the unit.
• If the error light persists after re-booting the unit three or four times, changing power and ethernet cables and changing the power outlet, please contact technical support for further assistance.

Nothing happens when attempting to power up the unit.

• Verify that the power cables is securely connected both to the back of the unit and the power source.
• Connect to a different electrical outlet.
• Use a different surge protector or UPS (uninterruptible power supply).
• Use a different power cable.
• If the unit's nonresponsiveness persists after trying the above, please contact technical support for further assistance.

Warranty

One year from date of purchase. For more information, see our warranty page.