vpc flow logs and pcap Archives - AWS Security Architect https://awssecurityarchitect.com/tag/vpc-flow-logs-and-pcap/ Experienced AWS, GCP and Azure Security Architect Sat, 29 Jun 2024 04:54:20 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.5 214477604 Packet Capture and AWS VPC Flow Logs https://awssecurityarchitect.com/aws-network-security/packet-capture-and-aws-flow-logs/ https://awssecurityarchitect.com/aws-network-security/packet-capture-and-aws-flow-logs/#respond Sat, 29 Jun 2024 04:49:29 +0000 https://awssecurityarchitect.com/?p=305 Also read PCAP (Packet Capture) overview AWS VPC Flow Logs do not use PCAP (Packet Capture) format. Instead, VPC Flow Logs capture metadata about the traffic flowing to and from […]

The post Packet Capture and AWS VPC Flow Logs appeared first on AWS Security Architect.

]]>
Also read PCAP (Packet Capture) overview

AWS VPC Flow Logs do not use PCAP (Packet Capture) format. Instead, VPC Flow Logs capture metadata about the traffic flowing to and from network interfaces in a Virtual Private Cloud (VPC). This metadata is stored in a structured log format, typically in Amazon CloudWatch Logs or Amazon S3.

Data Captured by VPC Flow Logs

VPC Flow Logs capture information such as:

  • Version: The version of the flow log format.
  • Account ID: The ID of the AWS account that owns the network interface.
  • Interface ID: The ID of the network interface for which traffic is recorded.
  • Source Address: The source IP address of the traffic.
  • Destination Address: The destination IP address of the traffic.
  • Source Port: The source port of the traffic.
  • Destination Port: The destination port of the traffic.
  • Protocol: The IANA protocol number of the traffic (e.g., TCP is 6, UDP is 17).
  • Packets: The number of packets transferred during the flow.
  • Bytes: The number of bytes transferred during the flow.
  • Start Time: The time at which the flow started.
  • End Time: The time at which the flow ended.
  • Action: Whether the traffic was accepted or rejected.
  • Log Status: The status of the flow log.

Example of a VPC Flow Log Entry

Here is an example of a single VPC Flow Log entry:

2 123456789012 eni-abc123de 192.168.1.1 10.0.0.1 443 12345 6 10 840 1623101047 1623101107 ACCEPT OK

Breakdown of the Example Entry

  • 2: The version of the flow log format.
  • 123456789012: The AWS account ID.
  • eni-abc123de: The ID of the network interface.
  • 192.168.1.1: The source IP address.
  • 10.0.0.1: The destination IP address.
  • 443: The destination port (HTTPS).
  • 12345: The source port.
  • 6: The protocol (TCP).
  • 10: The number of packets transferred.
  • 840: The number of bytes transferred.
  • 1623101047: The start time of the flow (in Unix epoch time).
  • 1623101107: The end time of the flow (in Unix epoch time).
  • ACCEPT: The action taken (whether the traffic was accepted or rejected).
  • OK: The log status (indicating the logging status).

Differences from PCAP

  • Granularity: PCAP files capture the entire packet, including headers and payloads. VPC Flow Logs capture metadata about the flow, not the packet contents.
  • Format: PCAP is a binary format, while VPC Flow Logs are plain text entries.
  • Use Case: PCAP is used for detailed packet-level analysis, often in network troubleshooting and forensics. VPC Flow Logs are used for monitoring and analyzing network traffic patterns and security within AWS environments.

Usage of VPC Flow Logs

  1. Security Monitoring: Analyze traffic patterns to detect suspicious activities or security breaches.
  2. Compliance: Maintain logs for auditing and compliance requirements.
  3. Performance Monitoring: Identify and troubleshoot network performance issues by examining traffic flow data.
  4. Cost Management: Understand data transfer costs by analyzing traffic volume.

In summary, AWS VPC Flow Logs do not use PCAP format. Instead, they provide a high-level overview of network traffic, capturing essential metadata to help with security monitoring, compliance, performance analysis, and cost management.

The post Packet Capture and AWS VPC Flow Logs appeared first on AWS Security Architect.

]]>
https://awssecurityarchitect.com/aws-network-security/packet-capture-and-aws-flow-logs/feed/ 0 305