CapAnalysisFor wireless investigations

User guide for capture analysisTCP & UDP Flows – deep packet inspection

By Chris Harrington

CapAnalysis runs in Linux OS (x32/x64)◦ Debian based

Pcap viewer Analyze TCP & UDP streams Supports multiple datasets Performs deep packet inspection Reporting and presentation capabilities Using Kali Linux running in VMware

workstation for this guide

Background

Two packages need to be installed◦ php5-sqlite◦ php-mdb2-driver-pgsqlCommand: apt-get install php5-sqlite

apt-get install php-mdb2-driver-pgsql

Restart apache service

Start CapAnalysis and Postgresql

Requirements

URL: localhost:9877

Registration

Create a dataset for suspect’s case

Creating new dataset

Example: SuspectX

Dataset name

Add capture files to analyze

Uploading capture

Via browser

Uploading methods

Via netcat

Command: cat <pcapfile> | nc ::1 30001

Uploading methods

Click on dataset name to enter analysis

Datasets overview

Powerful filters are available for quick analysis. Use them for refined analysis

Inside the overview

Filters

Filter elementsFilter files

Filter IP/PortsFilter protocolsFilter countryFilter data size

Filter date or time

Filter elements

Filter files

Filter IP/Ports

Filter protocols

Filter country

Filter data size

Filter date or time

Displays all UDP & TCP streams

Flows

Displays protocols used in dataset flows◦ by country or by data type

Overview

Statistics overview of dataset◦ Quickly identify key information

Statistics

Timeline view of distribution of data Intervals can be set (minimum 5 minutes)

Per hour

Map view of flows, data received and sent◦ Interactive map

GeoMap

Displaying all source and destination IPs clicking on an IP will give detailed overview of that IP

IPs Source & IPs Destination

Chart view of protocols identification from dataset

Protocols

Mouse over

Click here for different data types

Timeline display from datasetRemember to use filters

Timeline

Use advanced filters for refining analysis Reporting and presentation capabilities

◦ Easy to understand for non technical stakeholders Timelines Dissecting TCP and UDP streams Time saving Cost effective Geolocation of all connections Upload datasets with NetCat (scripting

possibilities?)

Notes

My contact details

C.k.harrington@gmail.com

Questions?