capanalysis - deep packet inspection

CapAnalysisFor wireless investigations

User guide for capture analysisTCP & UDP Flows – deep packet inspection

By Chris Harrington

CapAnalysis runs in Linux OS (x32/x64)◦ Debian based

Pcap viewer Analyze TCP & UDP streams Supports multiple datasets Performs deep packet inspection Reporting and presentation capabilities Using Kali Linux running in VMware

workstation for this guide

Background

Two packages need to be installed◦ php5-sqlite◦ php-mdb2-driver-pgsqlCommand: apt-get install php5-sqlite

apt-get install php-mdb2-driver-pgsql

Restart apache service

Start CapAnalysis and Postgresql

Requirements

URL: localhost:9877

Registration

Create a dataset for suspect’s case

Creating new dataset

Example: SuspectX

Dataset name

Add capture files to analyze

Uploading capture

Via browser

Uploading methods

Via netcat

Command: cat <pcapfile> | nc ::1 30001

Uploading methods

Click on dataset name to enter analysis

Datasets overview

Powerful filters are available for quick analysis. Use them for refined analysis

Inside the overview

Filters

Filter elementsFilter files

Filter IP/PortsFilter protocolsFilter countryFilter data size

Filter date or time

Filter elements

Filter files

Filter IP/Ports

Filter protocols

Filter country

Filter data size

Filter date or time

Displays all UDP & TCP streams

Displays protocols used in dataset flows◦ by country or by data type

Overview

Statistics overview of dataset◦ Quickly identify key information

Statistics

Timeline view of distribution of data Intervals can be set (minimum 5 minutes)

Per hour

Map view of flows, data received and sent◦ Interactive map

GeoMap

Displaying all source and destination IPs clicking on an IP will give detailed overview of that IP

IPs Source & IPs Destination

Chart view of protocols identification from dataset

Protocols

Mouse over

Click here for different data types

Timeline display from datasetRemember to use filters

Timeline

Use advanced filters for refining analysis Reporting and presentation capabilities

◦ Easy to understand for non technical stakeholders Timelines Dissecting TCP and UDP streams Time saving Cost effective Geolocation of all connections Upload datasets with NetCat (scripting

possibilities?)

My contact details

C.k.harrington@gmail.com

Questions?

capanalysis - deep packet inspection

data intervals

dataset flows

tcp udp streams

udp tcp streams

udp streams time

fordifferent data typesmouse

map view of flows

capture analysistcp

Technology

deep packet inspection and application classification with

deepmatch: practical deep packet inspection in the data

deep packet inspection using snort - university of victoria

chapter one: deep packet inspection and its predecessors

deep packet inspection using snort

rechtmäßigkeit der „deep packet...

strid2fa scalable regular expression matching for deep...

bittorrent traffic detection with deep packet inspection and...

deep packet inspection as a service

deep packet inspection

deep packet inspection on large datasets: algorithmic -...

high performance deep packet inspection - deepness · pdf...

natsys lab. deep packet inspection (dpi)

globalvoices deep packet inspection and internet censorship

benefits of deep packet inspection techniques for · pdf...

deep packet inspection (dpi) test methodology

bittorrent traffic detection with deep packet inspection

the future of deep packet inspection (dpi)

dpdk summit18 multiple vdpi functions using dpdk and ... ·...

deep packet inspection matthew carson. what is deep packet...