RAID (redundant array of independent disks)

With RAID technology, a number of disk can be combined so they work as one large logical disk. RAID technology can implement data redundancy which provide disk error fault tolerance. RAID technology can also implement disk striping which distribute data on all the available disk which provide height disk read and write performance.
RAID devices use many different architectures, called levels, depending on the desired balance between performance and fault tolerance. RAID levels describe how data is distributed across the drives.

RAID Level 0: Striped disk array without fault tolerance
Consists of striping, without any parity. The capacity of a RAID 0 volume is the sum of the capacities of the disks in the set. There is no added redundancy for handling disk failures. Thus, failure of one disk causes the loss of the entire RAID 0 volume. Striping distributes the contents of files roughly equally among all disks in the set, which makes concurrent read or write operations on the multiple disks almost inevitable and results in performance improvements. The concurrent operations make the throughput of most read and write operations equal to the throughput of one disk multiplied by the number of disks. Increased throughput is the big benefit of RAID 0, at the cost of increased vulnerability to drive failures. (Source: Wikipedia)

RAID Level 5: Block interleaved distributed parity
Consists of block-level striping with distributed parity. Parity information is distributed among the drives. Upon failure of a single drive, subsequent reads can be calculated from the distributed parity such that no data is lost. A failing drive can be replaced on a running system and the contents of the failing driver can be restored automatically, but reduced performance must be expected while the drive is restored. (Source: Wikipedia)

RAID Level 6: Independent data disks with double parity
Consists of block-level striping with double distributed parity. Double parity provides fault tolerance up to two failed drives. This makes larger RAID groups more practical, especially for high-availability systems, as large-capacity drives take longer to restore. As with RAID 5, a single drive failure results in reduced performance of the entire array until the failed drive has been replaced. The larger the drive capacities and the larger the array size, the more important it becomes to choose RAID 6 instead of RAID 5. (Source: Wikipedia)

Retention Time

Retention time is time the system (the NTA) can store packets from the network to the disk system without having to overwrite the oldest packets on the the disk system.
There retention time depends on the amount disk space of the system and the amount of packets received from the network being stored.

When Wasabi Networks specifies a systems retention time, it is for the situation where all capture interfaces is receiving packets at the maximum possible speed for the entire time specified as the retention time. Receiving packets at the maximum possible speed for the entire time specified as the retention time is highly unrealistic situation that never happen in a real network, so in a realistic network the NTA retention time will be much higher then the specified retention time.

The NTA retention time can be increased by the use of capture filters and by using slicing.

Capture packet filtering can greatly increase the retention time and allows for a more targeted recording of network traffic. Packet filtering can be used to refine packet selection by using receiving time, protocol, IP address, VLAN and many other fields.
Filters can be used to specify:
1. The relevant packets (packets that should be stored to the disk system for later analysis)
2. The packets that are irrelevant and can be discarded (not stored to the disk system)
3. Packets that can be sliced (“Zero slice”, “Slice payload” or “Slice encrypted”)

Packet slicing can slice parts of the captured packets that are not relevant for the analysis of the packets. This can e.g. be packet payload or the part of the packet that is encrypted.
In most cases encrypted data can not be decrypted later so it makes more sense to discard the encrypted part of a packet as the packet is received. An increasing part of network traffic is encrypted so in many cases discarding encrypted packet data can greatly increase the retention time.
Examples of encrypted packets are:
* Most of Facebook traffic,
* Most of YouTube traffic and
* Most email traffic

Go top