Ideally a guide which spells out which fields of which packets correspond to the "Internet Connection Record" the government would like me to store for 12 months and what kind of searches they expect to be able to run across this data (i.e. do they expect an SQL interface or grep for a string?)
The best I've seen is this from the NCA http://www.nationalcrimeagency.gov.uk/publications/673-written-evidence-annexes-a-d/file I'm assuming for fixed lines you use the associated telephone number (or presumably circuit ID for ethernet) and you probably know your customers postcode. However, viewing dangerous right wing material leading to overthrow of the government in a referendum (e.g. the Telegraph homepage) generated 215 ICRs when I just measured it with most web requests generating 50-100 ICRs per pageview. So the obvious thoughts are, (i) That's going to be a lot of data. Invest in disks. (ii) You'll need DPI to sniff the SNI destination URL from https connections. (iii) What do you do for UDP? Do you log every NTP/DNS/VPN packet? (iv) Imagine SQLSlammer2. How do you log that? I'm sure someone rather bigger has a better idea of what needs doing though and I'd dearly love to hear a fuller explanation of what is required, not least because our customers are asking us. Pete -- Pete Stevens p...@ex-parrot.com http://www.ex-parrot.com/~pete/ The last time humans crossed space to a destination was the Apollo 17 mission in 1972. In the 32 years since, no man has seen, with his own eyes, Earth as that beautiful, solitary blue sphere, and - reality check - no woman has ever seen it at all. -- James Cameron