IoT device application workload capture

What is claimed is: 1. A system, comprising: a processor configured to: select a target IoT device; determine and tag a flow associated with the target IoT device; admit packets from the tagged flow into a ring buffer; receive an indication that an extraction should be performed on a portion of the packets included in the ring buffer; and extract the portion of the packets; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system of claim 1 , wherein the target IoT device is selected at least in part based on a detection of an elevation of a risk score. 3. The system of claim 2 , wherein the risk score is elevated based at least in part on a determination of an applicability of a known exploit to the target IoT device. 4. The system of claim 2 , wherein the risk score is elevated based at least in part on an observation of an attempted exploit of the target IoT device. 5. The system of claim 1 , wherein the target IoT device is selected at least in part based on a URL with which the target IoT device communicates. 6. The system of claim 1 , wherein the indication is received as part of a time-based trigger. 7. The system of claim 1 , wherein the indication is received in response to a generation of an alert. 8. The system of claim 1 , wherein the extracted portion of the packets is provided to a network traffic analysis system. 9. The system of claim 1 , wherein the processor is further configured to receive an indication to stop admitting packets associated with the target IoT device into the ring buffer. 10. The system of claim 9 , wherein the indication to stop admitting the packets is received in response to a predefined number of sessions associated with the target IoT device. 11. A method, comprising: selecting a target IoT device; determining and tagging a flow associated with the target IoT device; admitting packets from the tagged flow into a ring buffer; receiving an indication that an extraction should be performed on a portion of the packets included in the ring buffer; and extracting the portion of the packets. 12. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: selecting a target IoT device; determining and tagging a flow associated with the target IoT device; admitting packets from the tagged flow into a ring buffer; receiving an indication that an extraction should be performed on a portion of the packets included in the ring buffer; and extracting the portion of the packets. 13. The method of claim 11 , wherein the target IoT device is selected at least in part based on a detection of an elevation of a risk score. 14. The method of claim 13 , wherein the risk score is elevated based at least in part on a determination of an applicability of a known exploit to the target IoT device. 15. The method of claim 13 , wherein the risk score is elevated based at least in part on an observation of an attempted exploit of the target IoT device. 16. The method of claim 11 , wherein the target IoT device is selected at least in part based on a URL with which the target IoT device communicates. 17. The method of claim 11 , wherein the indication is received as part of a time-based trigger. 18. The method of claim 11 , wherein the indication is received in response to a generation of an alert. 19. The method of claim 11 , wherein the extracted portion of the packets is provided to a network traffic analysis system. 20. The method of claim 11 , further comprising receiving an indication to stop admitting packets associated with the target IoT device into the ring buffer. 21. The method of claim 20 , wherein the indication to stop admitting the packets is received in response to a predefined number of sessions associated with the target IoT device.