packet

  • PCAP Analysis

    If PCAP analysis isn’t your full time job the occasional need for quick information can be frustrating due to the time involved in properly parsing PCAP files. 

    The quick and easy solution is to use NetworkMiner. It runs on Windows, OS X, FreeBSD, and Linux. It removes all of the pain in parsing. I’ve used Network Miner to parse up to 8 GB of PCAP files in one session and it performed brilliantly. If you want to export data you will need to buy the 500 EUR professional license, but given time’s preciousness this is an indispensable tool. 

    Analysts usually need the quick and dirty data points. When you need to derive Netflow (in CSV format) from a PCAP I recommend using CERT’s YAF tool. The following should retrieve what you need:

    yaf –in [PCAP_FILE].raw –silk –out [NEW_FILE].yaf

    yaf –in [PCAP_FILE].raw –silk –out [NEW_FILE].yaf

    rwipfix2silk –silk-output [DATE_FORMAT].silk *.yaf

    rwcut –delimited=“,” –output-path [DATE_FILE].csv [DATE_FILE].silk