Storage Capacity

When choosing a packet capture appliance, an important consideration is the time span of network activity that you would like to be able to store. When using captured network data to troubleshoot network equipment / applications or do forensic analysis of network incidents, it is critical to have available data from the entire timespan of the event under investigation. Further, signature development time for new viruses, malware and APTs discovered in the wild is generally several months or longer and it may take months before a breach or other network event is discovered. For these reasons, we recommend planning for enough capacity to retain network activity records for at least 6-12 months.

Standard IPCopper packet capture appliances come in capacities ranging form 1 TB to 48 TB. Custom IPCopper configurations allow stacking to achieve capacities of up to 1,152 TB.

Memory Capacity
Peak Capture Speed
Min. Sustained Capture Speed
Type
Min. Sustained Packet Rate (packets/second)

USC1030

1 TB
1 Gbps
400 Mbps
forensic
150,000

USC4060

4 TB
1 Gbps
400 Mbps
continuous-loop
165,000

USC6042

4 TB
1 Gbps
400 Mbps
continuous-loop
100,000

USC10G3

24 TB
10 Gbps
5 Gbps
continuous-loop
6,000,000

USC10G4

24 TB
10 Gbps
5 Gbps
continuous-loop
6,000,000

USC10M2

48 TB
10 Gbps
5 Gbps
continuous-loop
6,000,000

USC10M3

48 TB
10 Gbps
8 Gbps
continuous-loop
6,000,000

Estimating packet capture capacity needs

Please see the table below for daily storage capacity utilization for different bandwidth usages. For ease of computation, we assumed assymmetrical usage (the connection has substantially more traffic in one direction than the other).

Avg. Max. Sustained Bandwidth Utilization
Usage Pattern
Per-Day Capacity Usage
100 Mbps
24-hr
1 TB
100 Mbps
8-hr
0.35 TB
40 Mbps
24-hr
0.4 TB
40 Mbps
8-hr
0.125 TB
20 Mbps
24-hr
0.2 TB
20 Mbps
8-hr
0.07 TB

Some industries, such as hospitals and medical offices that constantly deal with large data files, necessarily have higher bandwidth utilization than others. For example, a hospital data center may peak at around 1 Gbps (~5 TB per day usage) whereas a large office may use up to 25 Mbps sustained (~250 GB per day usage).

The overhead of IPCopper appliances ranges from 1% to 10%, depending on the size of the packets. If your average packet size is around 1000 bytes, the overhead would be, conservatively, 3%. The larger the packet, the lower the overhead percentage. For average traffic, an overhead of 5% is a good number to use in your calculations.

To aid you in estimating your office's usage needs, the table below gives the approximate size of files that commonly traverse data networks.

Type of Content

Average Size of File

Quantity That Would Fit on 1 TB

MP3 song, 128kbps stereo
3 MB
333,000
1 min of CD quality audio, 44Khz uncompressed 16bit
10 MB
100,000
Average plain text email, no attachments
2000 bytes
500,000,000
Average HTML email, no attachments
5000 bytes
200,000,000
one-page word document, no graphics
10 kb
100,000,000
web quality photograph, jpg format
100 kb
10,000,000
high resolution digital photograph, jpg format
1.5 MB
666,000
dvd-quality full length movie
4.7 GB
212
1 CD
650-800 MB
1250-1538
one minute of internet radio
480 kb
2,083,000
one minute VoIP telephone call, G711 codec, high quality
600 kb
1,667,000
one-page fax, high quality
100 kb
10,000,000

Managing Packet Capture on Networks with High Utilization

Packet capture on networks with high bandwidth utilization generate large amounts of data over a short period of time, requiring robust strategies to both manage, retain and analyze network data. IPCopper's management and analytics servers provide a centralized location from which to manage multiple IPCopper packet capture appliances, aggregate PCAP data and analyze the captured network data with indexing, search and other capabilities, including a high-performance IDS engine with IP and signature based rules for alerts and reporting. With IPCopper's analytics server, network operators can get a handle on managing tens and hundreds of terabytes of data, with the ability to examine the data both in aggregate and at the individual packet and session level.

The server’s core functions include packet capture appliance management; data acquisition and aggregation; and search. Its searching capabilities encompass both simple, one-dimensional searches and multi-dimensional searches, including searches by IP and MAC address with differentiators for source versus destination references; port; date and time ranges; signature matches, either by packet or TCP/IP session; HTTP header fields (file name, host, user, agent, etc); protocol; and other parameters.

IPCopper's analytics servers' native storage may be increased with the addition of storage modules, for total storage of 480+ TB.

Report: Marketing Cybercrime to Infect America

Report