Traffic capturing in Windows by means of KIS 2010
It seems network traffic capturing is a fashion feature in the modern world even if suppliers of antivirus protection have begun to embed it in its products. Universal sniffers are known to all network specialists (Ethereal/Wireshark, Network Monitor). In case of particular needs it is possible either to analyze saved by sniffers packets or develop your own product for Windows with the help of WinPcap library or for *nix systems. Such sniffer first appeared in firewall product of Kaspersky Internet Security 2009. In KIS 2010 sniffer did not suffer significant changes. We set up KIS 2010 (184.108.40.2063) at Windows XP x64 Eng SP2 operating system and KIS 2009 (220.127.116.116) at Windows Vista Ultimate x64 Eng SP2 operating system and proceeded to capturing by means of Network Packet Analysis service from Security+ menu (Security–Content filtering–Network packets analysis for version 2009).
Though display of monitor Network packets Analysis should be enabled first in group Network packets analysis of Network subcategory of Parameters menu.
Hereafter we will speak only about Kaspersky Internet Security 2010, though there are no differences in network analyzer. We’d like to draw reader’s attention to the fact that network analyzer in KIS 2009/2010 can’t be designated as full-function. It is intended rather for brief overview of incoming and outgoing traffic.
You can review flags of TCP transport protocol quite well, but you will have to study contents of HTTP-protocol manually. Universal network analyzers (Wireshark and NetMon) have more considerable list of supported protocols.
Beside the above mentioned restriction there is another one: it is impossible to export captured data for further processing by another program. It is also impossible to import traffic from another sniffer. Wireshark and NetMon naturally are able to save network traffic in format, familiar to other software products.
CPU load by Network packet analyzer operation in KIS2009/2010 was also surprising. Hardware parameters for one of test computers are displayed below. With such hardware platform in Windows XP x64 SP2 Eng 50% utilization of both cores was noticed. We launched analyzer for similar hardware platform, but in Windows Vista x64 SP2 Rus. Here we saw the same load situation.
KIS2010 was installed on the single-core computer with frequency 1.5 GHz and with Windows XP x32 SP3 Rus as OS. This processing unit featured 100% utilization.
We addressed this problem to antivirus product supplier in order to get technical support, as operation of other network analyzers did not show any tangible CPU load at indicated hardware platforms. The reply was a little bit surprising to us. According to the reply, such performance of KIS2009/2010 is normal, as antivirus analyzes passing traffic deeply, thus Kaspersky Lab does not recommend using Network packets analyzer continuously. We were even more amazed because speed of packets transfer by testing was 1-2 pps.
We’d like to indicate separately, that in this article we do not discuss advantages and disadvantages of Kaspersky Internet Security software system, we just study the network packet analyzer integrated into antivirus product.
Brief review of the network analyzer, appeared in software of Kaspersky Lab Network Security is completed hereon.