PacketTotal is an engine for analyzing, categorizing, and sharing .pcap files.
The tool was built with the InfoSec community in mind, and has applications within malware analysis and network forensics. PacketTotal is 100% public, meaning any packet-captures uploaded to the site will become publicly available upon completed analysis.
Using PacketTotal is very easy, but before uploading your first packet-capture there are a few guidelines which should be observed.
- Avoid uploading packet-captures from home or work networks.
- Avoid capturing traffic which can reveal too much information about your environment.
- Consider using capture filters, to only capture the traffic you wish to analyze/share.
- Consider capturing traffic in a sand-boxed environment, which is either physically or logically isolated from your main network.
PacketTotal currently supports pcap and pcapng files produced by tools such as WireShark and tcpdump. The tool will accept any pcap or pcapng file of 50MB or less. However, there are some situations where packet-captures will be rejected even if they fit this criteria. If this occurs, try opening your packet-capture in a tool like WireShark, and saving as a plain pcap file.
If your pcap conforms to the above criteria you are ready to upload. Uploading can be done from practically any page on the site from the navigation bar.
The main upload interface however, is found on the homepage. To use, simply drag your packet-capture into the upload box. If you are viewing from an older browser, dragging may not work, and you can simply click anywhere inside the box to initialize an upload.
Once you have verified you are human, your packet-capture will be queued for analysis. Depending on the number of packet-captures ahead of yours it can take anywhere between 30 seconds to 10 minutes before processing is complete. When your packet-capture is finished analyzing you will automatically be redirected to the console view. From here you can explore the various protocols found within the capture, and pivot to similar packet-captures which will be presented in a sorted view of packet-captures most similar to yours.
How it works
Underneath the hood, PacketTotal relies on several powerful open-source tools which extract the information necessary to generate the various views available on the site. Foremost among these are Bro and Suricata IDS.
At the highest level, Bro is used to extract common protocols and artifacts from the packet-capture and Suricata is leveraged primarily for signature based detection of malicious activity. Once an analysis has been completed there are three ways to view your packet-capture.
- Console view, a table-based view containing your pcap analysis in text.
- Graph view, which presents your pcap data in graphs and charts.
- Timeline view, a sequential ordering of every event in your pcap in an interactive display.
Arguably just as important as the actual analysis is the ability to quickly search through that data. Packet-captures can contain all types of data, and during the initial design phase we found a relational database to be inadequate on many levels. Instead of a traditional database, PacketTotal leverages ElasticSearch for storing an retrieving information quickly.
Search takes full advantage of the ElasticSearch backend, and allows you to craft complex Lucene queries to zero-in on the results most relevant to you. If you are interested in some of PacketTotal's more advanced search features check out Search Builder to learn how to craft more granular queries.
Starting from either the Search or Recent Uploads pages, the Tags column shows what kind of data PacketTotal's engines determined existed inside that pcap. The tags present here correspond to the tabs visible in the Console view for that packet capture.
You can access Console view for any packet capture here by clicking its name. Alternatively, you can click the down arrow next to any of the packet capture names, and go to Graph view, Timeline view, or download the pcap.
Whether in Console view, Graph view, or Timeline view for a particular packet capture, a panel will always be present at the top of the view with the file metadata about the pcap you are analyzing, the ability to download that pcap and its artifacts, and a share option.
From Console View, switching to Graph or Timeline view for the packet capture can be done easily by clicking one of the two blue icons to the right.