CapAnalysis For wireless investigations User guide for capture analysis TCP & UDP Flows – deep packet inspection By Chris Harrington
CapAnalysis - Deep Packet Inspection
Jun 27, 2015
CapAnalysis is a great tool that performs deep packet inspection and can easily be used for cyber investigations. This guide demonstrates it's capabilities and features. The advanced reporting and presentation features allows all audiences to understand the information being presented. The advanced filters also provides easy identification and analysis.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CapAnalysisFor wireless investigations
User guide for capture analysisTCP & UDP Flows – deep packet inspection
By Chris Harrington
CapAnalysis runs in Linux OS (x32/x64)◦ Debian based
Pcap viewer Analyze TCP & UDP streams Supports multiple datasets Performs deep packet inspection Reporting and presentation capabilities Using Kali Linux running in VMware
workstation for this guide
Background
Two packages need to be installed◦ php5-sqlite◦ php-mdb2-driver-pgsqlCommand: apt-get install php5-sqlite
apt-get install php-mdb2-driver-pgsql
Restart apache service
Start CapAnalysis and Postgresql
Requirements
URL: localhost:9877
Registration
Create a dataset for suspect’s case
Creating new dataset
Example: SuspectX
Dataset name
Add capture files to analyze
Uploading capture
Via browser
Uploading methods
Via netcat
Command: cat <pcapfile> | nc ::1 30001
Uploading methods
Click on dataset name to enter analysis
Datasets overview
Powerful filters are available for quick analysis. Use them for refined analysis
Inside the overview
Filters
Filter elementsFilter files
Filter IP/PortsFilter protocolsFilter countryFilter data size
Filter date or time
Filter elements
Filter files
Filter IP/Ports
Filter protocols
Filter country
Filter data size
Filter date or time
Displays all UDP & TCP streams
Flows
Displays protocols used in dataset flows◦ by country or by data type
Overview
Statistics overview of dataset◦ Quickly identify key information
Statistics
Timeline view of distribution of data Intervals can be set (minimum 5 minutes)
Per hour
Map view of flows, data received and sent◦ Interactive map
GeoMap
Displaying all source and destination IPs clicking on an IP will give detailed overview of that IP
IPs Source & IPs Destination
Chart view of protocols identification from dataset
Protocols
Mouse over
Click here for different data types
Timeline display from datasetRemember to use filters
Timeline
Use advanced filters for refining analysis Reporting and presentation capabilities
◦ Easy to understand for non technical stakeholders Timelines Dissecting TCP and UDP streams Time saving Cost effective Geolocation of all connections Upload datasets with NetCat (scripting
possibilities?)
Notes
Related Documents
