CapAnalysis - Deep Packet Inspection
-
Upload
chris-harrington -
Category
Technology
-
view
1.067 -
download
10
description
Transcript of CapAnalysis - Deep Packet Inspection
![Page 1: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/1.jpg)
CapAnalysisFor wireless investigations
User guide for capture analysisTCP & UDP Flows – deep packet inspection
By Chris Harrington
![Page 2: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/2.jpg)
CapAnalysis runs in Linux OS (x32/x64)◦ Debian based
Pcap viewer Analyze TCP & UDP streams Supports multiple datasets Performs deep packet inspection Reporting and presentation capabilities Using Kali Linux running in VMware
workstation for this guide
Background
![Page 3: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/3.jpg)
Two packages need to be installed◦ php5-sqlite◦ php-mdb2-driver-pgsqlCommand: apt-get install php5-sqlite
apt-get install php-mdb2-driver-pgsql
Restart apache service
Start CapAnalysis and Postgresql
Requirements
![Page 4: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/4.jpg)
URL: localhost:9877
Registration
![Page 5: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/5.jpg)
Create a dataset for suspect’s case
Creating new dataset
![Page 6: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/6.jpg)
Example: SuspectX
Dataset name
![Page 7: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/7.jpg)
Add capture files to analyze
Uploading capture
![Page 8: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/8.jpg)
Via browser
Uploading methods
![Page 9: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/9.jpg)
Via netcat
Command: cat <pcapfile> | nc ::1 30001
Uploading methods
![Page 10: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/10.jpg)
Click on dataset name to enter analysis
Datasets overview
![Page 11: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/11.jpg)
Powerful filters are available for quick analysis. Use them for refined analysis
Inside the overview
![Page 12: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/12.jpg)
Filters
Filter elementsFilter files
Filter IP/PortsFilter protocolsFilter countryFilter data size
Filter date or time
Filter elements
Filter files
Filter IP/Ports
Filter protocols
Filter country
Filter data size
Filter date or time
![Page 13: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/13.jpg)
Displays all UDP & TCP streams
Flows
![Page 14: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/14.jpg)
Displays protocols used in dataset flows◦ by country or by data type
Overview
![Page 15: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/15.jpg)
Statistics overview of dataset◦ Quickly identify key information
Statistics
![Page 16: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/16.jpg)
Timeline view of distribution of data Intervals can be set (minimum 5 minutes)
Per hour
![Page 17: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/17.jpg)
Map view of flows, data received and sent◦ Interactive map
GeoMap
![Page 18: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/18.jpg)
Displaying all source and destination IPs clicking on an IP will give detailed overview of that IP
IPs Source & IPs Destination
![Page 19: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/19.jpg)
Chart view of protocols identification from dataset
Protocols
Mouse over
Click here for different data types
![Page 20: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/20.jpg)
Timeline display from datasetRemember to use filters
Timeline
![Page 21: CapAnalysis - Deep Packet Inspection](https://reader036.fdocuments.us/reader036/viewer/2022081504/558e025c1a28ab8d6c8b45ed/html5/thumbnails/21.jpg)
Use advanced filters for refining analysis Reporting and presentation capabilities
◦ Easy to understand for non technical stakeholders Timelines Dissecting TCP and UDP streams Time saving Cost effective Geolocation of all connections Upload datasets with NetCat (scripting
possibilities?)
Notes