Recently I started a personal project I call “POL”, I’m not going to divulge what the acronym stands for at this point, but will in the future when I deem the project complete. One of the requirements of the project was the ability to automate PCAP data analysis. I didn’t necessarily know what information I was looking for in the PCAP but needed a starting point. I like my analysis to be visually based and somewhat simple to use. So after many nights of searching the net for the perfect application, I stumbled upon Capanalysis.
While it is not exactly perfect and could use some refinement, it fit my needs. The gist of Capanlysis is that you capture network traffic on the same server that you are running Capanalysis on or upload a PCAP and it automatically parses the data and displays it in many types of graphs and charts. It got me started down the road for my investigations.
I found that the Geo display and Flows section for Capanalysis were the most helpful. There is a section that is supposed to display the WhoIs data for an IP address, but it doesn’t look as though the code has been implemented yet, which was a bit disappointing but not a deal breaker. For my project I had to do some customization of how Capanlysis gets the data. It is designed to have PCAP files uploaded through their web interface or captured via the CLI on the server. Neither of these options suited my automation needs, so I created it. It wasn’t very difficult, I simply needed to find out what the system did when a PCAP was uploaded.
Turns out that Capanlysis uploads the file to
/opt/capanalysis/ds_1/new/
and then renames it and moves it to
/opt/capanalysis/ds_1/raw
I have a rsysnc job running that pulls down my PCAP file from a remote server and places them in a set directory and then removes the files from the source
*/15 * * * * rsync -Pav -e 'ssh -i /home/user/.ssh/id_rsa' root@x.x.x.x:/dump_files/ /dump_files --remove-source-files
I remove the files from the source because the capture is running on a VPS with limited storage and frankly I don’t have the need for them in the cloud once they have been moved. The I have a cron job that runs every 16 minutes that move the PCAP’s into the Capanalysis directory for processing. A fairly simple cronjob
*/16 * * * * mv /dump_files/* /opt/capanalysis/ds_1/new/
.
Making this work was not at all difficult but I was really surprised that I was unable to find something open source that accomplished my goals. While it is lacking in some Bella’s and whistles it is a great tool to begin an investigation of captured traffic. Let me know if I missed something or if you find this useful.
Pingback:TelneLogger and HoneyCredIPTracker - I Specialize In Theoretical Statements