An eBPF-based packet capture system with embedded application metadata for network forensics

In network forensics, identifying applications involved in packet transmission and reception is crucial for reconstructing the chain of events in security incidents. However, since captured packets do not contain information about specific applications, investigators must rely on other information l...

Full description

Saved in:
Bibliographic Details
Published inInternational Journal of Networking and Computing Vol. 15; no. 2; pp. 65 - 84
Main Authors Okabe, Masaya, Tsunoda, Hiroshi
Format Journal Article
LanguageEnglish
Published IJNC Editorial Committee 2025
Subjects
extended Berkeley Packet Filter (eBPF)
incident response
network forensics
network security
packet capture
Online AccessGet full text
ISSN2185-2839
2185-2847
2185-2847
DOI10.15803/ijnc.15.2_65

Cover

More Information
Summary:In network forensics, identifying applications involved in packet transmission and reception is crucial for reconstructing the chain of events in security incidents. However, since captured packets do not contain information about specific applications, investigators must rely on other information like log data for identification, which decreases the efficiency and accuracy of the forensic process. This paper proposes a new system that uses an extended Berkeley Packet Filter (eBPF) to embed application metadata directly into the packet capture files. To demonstrate the feasibility of this concept, we implemented a prototype of the proposed system. The system associates each packet with the corresponding application name, process ID, and user ID, storing this metadata alongside packet data in PCAPNG format, enabling analysis with existing tools such as Wireshark. An experimental evaluation comparing the system’s performance to a conventional packet capture tool revealed challenges, such as packet loss due to buffer overwriting and increased resource consumption. In particular, the initial Python-based implementation recorded a packet loss rate of 55.61%, which was improved to 7.60% with the enhanced Go-based implementation. However, the proposed system increases CPU utilization by up to 22 percentage points, thus it needs further effort for optimization. Despite remaining performance challenges, the proposed approach has the potential to reduce analysis time and improve accuracy in network forensics by eliminating reliance on log data.
ISSN:2185-2839
2185-2847
2185-2847
DOI:10.15803/ijnc.15.2_65