Capanlysis: An adventure in automated packet analysis 

Capanlysis: An adventure in automated packet analysis 

Recently I started a personal project I call “POL”, I’m not going to divulge what the acronym stands for at this point, but will in the future when I deem the project complete. One of the requirements of the project was the ability to automate PCAP data analysis. I didn’t necessarily know what information I was looking for in the PCAP but needed a starting point. I like my analysis to be visually based and somewhat simple to use. So after many nights of searching the net for the perfect application, I stumbled upon Capanalysis.

While it is not exactly perfect and could use some refinement, it fit my needs. The gist of Capanlysis is that you capture network traffic on the same server that you are running Capanalysis on or upload a PCAP and it automatically parses the data and displays it in many types of graphs and charts. It got me started down the road for my investigations.

I found that the Geo display and Flows section for Capanalysis were the most helpful. There is a section that is supposed to display the WhoIs data for an IP address, but it doesn’t look as though the code has been implemented yet, which was a bit disappointing but not a deal breaker. For my project I had to do some customization of how Capanlysis gets the data. It is designed to have PCAP files uploaded through their web interface or captured via the CLI on the server. Neither of these options suited my automation needs, so I created it. It wasn’t very difficult, I simply needed to find out what the system did when a PCAP was uploaded.

Turns out that Capanlysis uploads the file to


and then renames it and moves it to


I have a rsysnc job running that pulls down my PCAP file from a remote server and places them in a set directory and then removes the files from the source

*/15 * * * *  rsync -Pav -e 'ssh -i /home/user/.ssh/id_rsa' root@x.x.x.x:/dump_files/ /dump_files --remove-source-files

I remove the files from the source because the capture is running on a VPS with limited storage and frankly I don’t have the need for them in the cloud once they have been moved. The I have  a cron job that runs every 16 minutes that move the PCAP’s into the Capanalysis directory for processing. A fairly simple cronjob

*/16 * * * * mv /dump_files/* /opt/capanalysis/ds_1/new/


Making this work was not at all difficult but I was really surprised that I was unable to find something open source that accomplished my goals. While it is lacking in some Bella’s and whistles it is a great tool to begin an investigation of captured traffic. Let me know if I missed something or if you find this useful.

My Homelab Adventure Part 2

So now that I have shared my motivation for having my own Home lab, the natural next step would be to acquire the necessary hardware.

Common sense would tell you that all you really need is a PC that is capable of handling a few virtual machines. But I didn’t exactly go the common sense rout for my home lab. I wanted actual enterprise class hardware for my adventure. The most difficult part of acquiring enterprise class hardware is the cost barrier. Traditionally this equipment is more expensive because they offer higher quality and more reliable hardware.

So what did I buy and where did I get it. I ended up with quite a smattering of items. The core of my Homelab is 3 HP Proliant DL360 G6 and 2 Cisco Catalyst 2950 switches. Along the way I acquired a Dell/EMC nas device, Juniper IDP 50, F5 BigIP and a 42U server rack. You can find the full list and links to the items on one of my Reddit Post. I found most of my Homelab equipment through surplus auction of my local county and got some stuff from eBay. If you live in a larger metro are I recommend that you do some searches for your local counties surplus auctions. They won’t always have what your looking for so you may just have to keep an eye on it and wait for the right item to go on the block.