Friday, August 10, 2018

Packet Capture ( PCAP ) File Analysis Tools

PacketTotal:

                  allows you to upload a PCAP, or packet capture, file and have it automatically analyzed and parsed against BRO IDS and Suricata signatures in order to provide information on what may have been detected in the capture file.

                         


URL : https://packettotal.com/

Microsoft Message Analyzer:

 is the successor to Microsoft Network Monitor. It is helpful in capturing, displaying, and analyzing protocol messaging traffic and other system messages. It is not only an effective tool for troubleshooting network issues, but for testing and verifying protocol implementations as well.
                  




              

Message Analyzer can certainly be used to analyze .pcap files.  The tool is generic and not specific to Microsoft, but certainly more focus is put on the Windows scenarios so Microsoft related parsers are kept up to date.  However, you can analyze virtually any kind of data, going beyond network captures like EVT, ETW, CSV and many more.

Tools -> Options -> Parsing

Download Link : https://www.microsoft.com/en-in/download/details.aspx?id=44226

CapAnalysis:

               is a web visual tool for information security specialists, system administrators and everyone who needs to analyze large amounts of captured network traffic.



                      

CapAnalysis performs indexing of data set of PCAP files and presents their contents in many forms, starting from a list of TCP, UDP or ESP streams/flows, passing to the geo-graphical representation of the connections.

CapAnalysis is Open Source.

Download Link : https://www.capanalysis.net/ca/#download 

 Tcpdump

                a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.

                 

Its a premier network analysis tool.

Download Link : http://www.tcpdump.org/#latest-releases


PCAP Analyzer:

  is a fully graphical tool that has been developed by Daniel Botterill as part of his MSc Computer Security degree, it has been designed to take in a PCAP capture file and report back any malicious behaviour identified.
It includes the following major features:

  • Displaying of packets with support for major protocols
  • Reassembly of TCP/UDP streams and HTTP response/reply streams
  • Detection of ICMP IPV4/IPV6 address sweeps
  • Importable blacklists with settable formats
  • Detection of denial of service attacks
  • Detection of domain name fluxing & similar domains detection
  • Detection of downloaded files with support for file identifier and virus scanner input
  • Detection of port scans & port knocks
  • Detection of single fast fluxing domains & multiple IP usage domains
  • Automated parsing of Snort log for PCAP files
  • Detection of various traffic patterns: constant HTTP requests, multiple Host User-Agent Referer requests and TCP/UDP similar messages
  • Draggable and filterable network map displaying computers, connections and malicious behaviour
  • Malware release automation (Windows Only)
  • Malicious behaviour summary & uncategorised traffic