CyberPro is a unique portable appliance that incorporates all of the features of NextComputing’s Packet Continuum cybersecurity architecture with the addition of a few features exclusive to this distinctive form factor.

Lossless Packet Capture & Log Manager,
With Deterministic Performance

Lossless packet capture, with data enrichment, is the immutable ground truth of any critical event – not merely an interpretation. Packet Continuum provides a performance guarantee of sustained lossless capture rate, for a set of real-time packet analytics (Log Manager) functions, and a specified number of Packet Continuum cluster nodes. This means a deterministic guarantee to capture every packet under real world conditions, not just a “best effort” attempt.

  • Lossless packet capture
  • Time stamping of 150 nanoseconds
  • Real-time indexing, for efficient query and retrieval of retrospective PCAP data or IPFIX records
  • Real-time IDS alert configurator generates event logs for HTTP, Files, DNS, email, user agents, TLS/SSL – all cross-correlated with PCAP & IPFIX flow records
  • Log Manager advanced packet analytics options include real-time event logging & cross-correlation:
    • Behavior and Signature Visibility
    • Multi – signature and behavior event logging
    • EXCLUSIVE to CyberPro, VOIP log, search, pivot and extract for Incident Response applications
      • SIP (Session Initiated Protocol) sessions
      • RTP based (Real-time Protocol) sessions
      • RTCP packets for each session
    • Simplified search and logging for Email, HTTP, SMTP, Files, DNS, User Agents, TLS/SSL
    • Active Triggers (BPF signature)
    • 100 Snort rules (emerging-DNS, emerging-ftp, and files)
    • System events
  • Log Manager search actions:
    • All logs are time-correlated with PCAPs and IPFIX data
    • Text string search of logs
    • IPFIX flow record logging and search
  • Scalable architecture to meet your speed and/or analytics requirements
  • Federate multiple cluster-based capture systems, for global visibility and PCAP retrieval

Download Datasheet (PDF)

Packet Continuum
Overview Datasheet

Simplified Workflow

Packet Continuum simplifies your workflow by integrating endpoint behavior and network signature visibility and DPI with a simple pivot to the sessionized network data, enriched metadata and file recovery. Mitigate the nearly 2/3 of breaches per incident that are easy to catch, like administrative issues by implementing effective, basic cyber practice policies by tracking user agent signature characteristics, email and file exfiltration.

Diagram of CyberPro workflow.

Log Manager showing HTTP log tab – HTTP session extraction and reconstruction of various files on the web page, including a JPG file showing the original content and metadata file breaking down the JPG file

Labor / cost reduction

Combining zero day alerting and pivot for analysis/mitigation and historical post breach forensics analysis including “cyber-espionage,” “point-of-sale intrusions,” and “privilege misuse.” Reduce the cost of network recording software and systems needed for medium and large networks.

Reduce labor needed for identification of indicators of compromise with an easy process to pivot to sessionized data / enriched meta data and reconstruct email and files for review.

Unique Portability

CyberPro encases the Packet Continuum architecture in a unique, impossibly small portable form factor. This makes it ideal for multiple cybersecurity use cases that require onsite response, analysis and mitigation.

There are a variety of transport options for the CyberPro for ease of travel for incidence response and other use cases.

  • Soft case with additional pockets for cords and accessories. Fits in the overhead bin of a plane.
  • Compact rugged case with foam cutouts for accessories. Also fits in the overhead bin of some planes.
  • Full size rugged case with wheels and telescoping handle.
    Can be checked as baggage, while giving you peace of mind that your system is safe.
About Travel Cases

click images to enlarge

Behavior / Signature Visibility & Logging

The log manager’s enhanced search capabilities allowing integrated pivot to PCAP and enriched metadata enables behavior and signature visibility.

The IDS Alert configurator and DPI Analyzer enable multi-level signature and behavior event session search and logging. This gives you the ability to configure groupings of signature and unusual behavior alerts dynamically from a grouping of 30,000.


This feature is exclusive to the CyberPro appliance form factor, incorporating all other features of the Packet Continuum architecture.

The CyberPro Log Manager now includes VOIP search, log, pivot and extract capabilities for Incident Response applications.

  • Log  and search SIP based RTC/VOIP sessions
    • Includes ability to pivot to extract SIP (Session Initiated Protocol), RTP (Real-time Protocol) and RTCP packets for each session
    • Extracted session can be loaded onto WireShark for further VOIP decoding including voice playback

Each VOIP session entry displays

  • Begin time of the session
  • Session information
  • RequestMethod
  • From, From_tag
  • Call-id
  • CSeq (Call sequence)
  • ResponseMethod
  • To, To_tag
  • Jitter summary (Avg., Median, Min., Max. value)

(click images to enlarge)

find text filter

The VOIP tab provides two ways of filtering VOIP session data displayed.

  • “Find Text” Filter:
    • When this field is empty, all VOIP sessions are displayed.
find text results
  • As the user enters text into this text field, only the matching rows are displayed.
jitter filter
  • “Min Jitter” and “Max Jitter” Filter:
    • When both “Min Jitter” and “Max Jitter” fields are empty, only the sessions without RTCP packets are displayed.
jitter results
  • When the user enters values into both “Min Jitter” and “Max Jitter” fields, only the sessions with jitter values that are >= “Min Jitter” and <= “Max Jitter” are displayed.
text and jitter filters
  • Both “Find Text” and Jitter filters can be used together.

VOIP sessions allow searching for SIP, RTP and RTCP packets for each session.

“SessionInfo” column for SIP sessions displays:

  • SIP source IP address, SIP source port
  • SIP destination IP address, SIP destination port
  • RTP inviter IP address, RTP inviter port.
  • RTP invitee IP address, RTP invitee port.

“SessionInfo” column for RTP and RTCP sessions displays:

  • SIP source IP address, SIP source port
  • SIP destination IP address, SIP destination port
  • RTP inviter IP address, RTP inviter port.
  • RTP invitee IP address, RTP invitee port.

Jitter summary column displays the data extracted from RTCP packets for the session:

  • Min and Max of the jitter values seen for this session
  • Average and Median of all the RTCP packets seen for this session.
  • Note: If the session does not contain any RTCP packets the Jitter summary column can be blank.

All Sessions/events under the VOIP log are clickable and searchable.

  • To search for and extract all SIP, RTP and RTCP packets of a session, click on the SessionInfo link for the session.
  • As each of the SIP, RTP and RTCP has its own source ip/port, dest ip/port information, the search filter is a combination of three BPF expressions, one for each of these protocols, all belonging to the same VOIP session.
  • Clicking on the session info shown above brings the user to the search tab and autofills the search details for the session.
  • Note: The RTCP source IP address and destination IP address are same as those for RTP but source port is (RTP inviter port + 1) and destination port is (RTP invitee port +1).

Email Search / Extraction

Identify and search email strings and subjects.  Email extraction feature includes sender, receiver, subject line and text reconstruction.

  • SMTP email session logging with body text in HTMP format and file attachment reconstruction from original Mime format
  • SMTP subject, send and receive email address logging

Log Manager email tab showing SMTP email session extraction and reconstruction of email attachment as Excel file with original content and metadata file

Packet Continuum simplifies the email session logging process with pivot to sessionized search and file recovery.

  • Free form text search capability
  • Clickable by event
  • Second click initiates packet session recovery and file reconstruction
  • Just two more clicks to the reconstructed file and meta data for that HTTP or SMTP email session
  • All viewable and downloadable
list of searchable sessions

(click to enlarge)

List of SMTP emails sessions searchable with time stamp, capture node location, session information, and SMTP email address, sender / receiver. A user can click to get the full session packets, extract email subject / text and reconstruct file attachments in original mime format, PDF, doc, etc.

search window based on selected sessions

(click to enlarge)

Search window based on selected sessions.

reconstructed data

(click to enlarge)

Reconstructed JPG file displayed with the metadata file associated with that graphic image.


Packet Continuum enables

  • HTTP, email and file transfer session logging and file identification
  • Identification and reconstruction of files and associated metadata in original mime type for viewing and analysis

File Leakage Session showing logs and pivot to session search and file reconstruction with metadata


Gain visibility into TLS / SSL encrypted sessions. Log and extract sessionized PCAP data via timestamp, capture node and session information for recovery of sessionized packets, then offload them to WireShark using customer provided keys.

Federation manager

Packet Continuum’s new Federation Manager allows you to federate multiple capture appliances in multiple locations.

  • Remote control capability via browser and REST API
  • Federated View of all data
  • Map-reduced framework to extract out packets, DPI data and logs across federation
Federation Manager Dashboard

(click to enlarge)

Federation manager dashboard for easy identification of Packet Continuum appliances/clusters that can even be in different physical locations. Your enterprise network can identify the IP address of each appliance and federate together for a single pane of glass view of all network data.

federated search screen

(click to enlarge)

Federated search across PCAP data, DPI log data and flow records, as well as email text and files for reconstruction.

Federated list of SMTP sessions

(click to enlarge)

Federated list of SMTP email sessions with time stamp, capture node location, session information, and SMTP email address, sender, and receiver. The user can click to obtain full session packets, extract email text, subject and reconstruct attachments in their original mime format, PDF, doc etc.

Federated list of HTTP sessions

(click to enlarge)

Federated list of HTTP sessions with time stamp, capture node location, session information, and HTTP link summary and files. The user can click to obtain full session packets, extract email text, subject and reconstruct attachments in their original format.

Fast Query / Streaming

  • Fast, Streamed Query Results
    • Every query has the option to return PCAP files, IPFIX records, and/or any log files.
    • All results are streamed in “chunks”, allowing partial results to be analyzed while the remaining query is completed, the first of which appear almost immediately after the query initiates.
  • Historical “look-back” queries based on standard Berkeley Packet Filter (BPF) within a time period.
  • Active Trigger “look-forward” alerts, BPF-based and user-defined, can generate dozens of simultaneous alerts when the target condition occurs.
  • Pre-capture filters (BPF-based) can be changed on-the-fly during capture operations
  • All historical logs searchable by text string
  • Real-time indexing
    • Every packet gets a timestamp and correlation index
    • Every log & alert event is cross-correlated to PCAPs and IPIX flow records
  • Streaming Playback Feature
    • PCAPs that have been searched/filtered/extracted with the Packet Continuum UI may be regenerated out a 1G copper RJ45 interface to an external device
    • Compatible with ANY 3rd party capture/analysis tool – just like a span/mirror port.

Great for recording, additional packet/signature analysis, or back-testing new firewall policies against real historical traffic.

Open Interface

Packet Continuum’s open interface enables use of 3rd party commercial and open source tools from SIEM for additional cyber analytics.

  • Open file formats and data viewers
    • Standard PCAP-NG file and IPFIX record extractions viewable in WireShark or TShark
    • Log files and alerts viewable as CSV or text files in any compatible application such as MS Office.
  • Remote Access to file extractions with Web GUI
  • PCAP playback feature for 3rd party tools

Open REST/API for creating custom workflows to automate Incident Response, Policy-driven data retention, or interface to legacy analytics tools.

Scalable / Federated

Packet Continuum’s highly scalable, high performance network data recorder provides for forensics investigations based on breach detection and changed threats within a reasonable forensics timeline.

  • Lightweight, federated control and off-load of data capability
  • Scales up smoothly for any combination of desired goals for capture speed, IDS alerting, Log manager functions and extended forensic capture timeline
  • Scalable to multiple “cluster nodes”
    • Increased sustained capture rates
    • Increased packet analytics thruput
    • Extended storage timeline
  • Capture nodes push packet processing operations to distributed Cluster Nodes enabling
    • PCAP storage, compression and indexing
    • Log Manager functions
  • Federated search operates in parallel within the cluster enabling incredibly fast streaming results even with very large capture timelines
  • Cluster ready for smooth scale up to very high performance
  • Dynamic node management
    • Redundancy
    • Hot swap / expand


  • Innovative dynamic Sankey session relationship diagram show top-talkers and SRC/DST IP/port pairs
  • One-click searches directly from Sankey, Time Graph or Critical Alerts log auto populates the query request, simplifying the process of locating PCAP files
  • Comprehensive Log Manager screen with tabs for each log type, allowing instant search and correlation with PCAP and IPFIX flow records
  • Remote access to manage and control multiple devices including hot accessible cluster node changes
  • Control of multiple clusters in a global-dispersed federation of capture systems

Trusted / Threat IP Detection

Asset IP Monitoring

CyberPro enables identification, monitoring, viewing and automatic approval of Critical IPs (essential infrastructure) as well as Trusted Asset IPs (host IP addresses defined as safe).

From the CyberPro Log Manager or Sankey Graph, users can:

  • Upload, view or delete lists of identified Asset IPs
  • Set alerts based on identified assets
  • Monitor / view sessions containing specified assets as the source or destination
  • With one click, view detailed PCAP session information where an asset is identified

Threat IP Monitoring

CyberPro enables identification, monitoring, viewing, and mitigation of pre-defined Threat IPs as well as user-defined IPs.  CyberPro comes pre-loaded with a known list of Threat IPs; a number of malicious IPs previously identified by trusted sources such as US-CERT, for your protection.

From the CyberPro Log Manager or Sankey Graph, users can:

  • Upload/enable, view or delete/disable lists of identified Threat IPs
  • Set alerts based on identified Threat IPs
  • Create Active Defense actions (via user criteria or Suricata rules) to be taken when a Threat IP is identified
  • With one click, view detailed PCAP session information where a threat is identified

When a Threat IP is identified as present in a session, the system generates a severe alert and a pre-defined Active Defense action can be executed or, if one is not available, alert info can be sent to an external server.