Stenographer 數(shù)據(jù)包捕獲解決方案，快速的把所有數(shù)據(jù)包轉(zhuǎn)移到硬盤中，可以簡單快速的訪問包子集。

Stenographer 緩沖數(shù)據(jù)包到硬盤，用于入侵檢測和事件響應(yīng)，提供高性能的 NIC-to-disk 數(shù)據(jù)包寫入；提供快速讀取數(shù)據(jù)包的方法。

Stenographer 主要用來：

• 把數(shù)據(jù)包快速寫入硬盤

• 存儲盡可能多的歷史記錄

• 讀取分析需要的，硬盤上的非常小部分的數(shù)據(jù)包

不適用于：

• 復(fù)雜的數(shù)據(jù)包處理（TCP流重組等）

• 速度很快，因?yàn)樗贿@樣做。即使我們對數(shù)據(jù)包進(jìn)行了非常少的單遍處理，僅索引就處理?1Gbps可能占用單個內(nèi)核的> 75％。

• 通過從磁盤讀回數(shù)據(jù)來處理數(shù)據(jù)也不起作用：請參閱下一個要點(diǎn)。

• 回讀大量數(shù)據(jù)包（>寫入數(shù)據(jù)包的1％）

• 此處的關(guān)鍵概念是磁盤讀取與磁盤寫入競爭…用戶可以以磁盤速度的90％進(jìn)行寫入，但這僅給用戶10％的磁盤讀取時間。此外，我們正在編寫高度順序的數(shù)據(jù)，哪些磁盤非常擅長快速處理，并且通常通過大量查找來回讀稀疏數(shù)據(jù)，哪些磁盤的運(yùn)行速度很慢。

查詢語言

host?8.8.8.8??????????#?Single?IP?address?(hostnames?not?allowed)
net?1.0.0.0/8?????????#?Network?with?CIDR
net?1.0.0.0?mask?255.255.255.0??#?Network?with?mask
port?80???????????????#?Port?number?(UDP?or?TCP)
ip?proto?6????????????#?IP?protocol?number?6
icmp??????????????????#?equivalent?to?'ip?proto?1'
tcp???????????????????#?equivalent?to?'ip?proto?6'
udp???????????????????#?equivalent?to?'ip?proto?17'

#?Stenographer-specific?time?additions:
before?2012-11-03T11:05:00??????#?Packets?before?a?specific?time?(UTC)
after?2012-11-03T11:05:00-0700??#?Packets?after?a?specific?time?(with?TZ)
before?45m?ago????????#?Packets?before?a?relative?time
before?3h?ago?????????#?Packets?after?a?relative?time

Stenoread CLI

#?Request?all?packets?from?IP?1.2.3.4?port?6543,?then?do?extra?filtering?by
#?TCP?flag,?which?typical?stenographer?does?not?support.
$?stenoread?'host?1.2.3.4?and?port?6543'?'tcp[tcpflags]?&?tcp-push?!=?0'

#?Request?packets?on?port?8765,?disabling?IP?resolution?(-n)?and?showing
#?link-level?headers?(-e)?when?printing?them?out.
$?stenoread?'port?8765'?-n?-e

#?Request?packets?for?any?IPs?in?the?range?1.1.1.0-1.1.1.255,?writing?them
#?out?to?a?local?PCAP?file?so?they?can?be?opened?in?Wireshark.
$?stenoread?'net?1.1.1.0/24'?-w?/tmp/output_for_wireshark.pcap