PacketTotal

PacketTotal is an engine for analyzing, categorizing, and sharing .pcap files.

The tool was built with the InfoSec community in mind, and has applications within malware analysis and network forensics. PacketTotal is 100% public, meaning any packet-captures uploaded to the site will become publicly available upon completed analysis.

Introducing the PacketTotal API!

We at PacketTotal are thrilled to release our first ever API!

The new search API will allow you to: 1. Programmatically search for any IOC (md5, domain name, malware strain, IP address, etc.) on our performance-enhanced backend. 2. Download the analysis logs for a specific pcap in .zip format without ever having to navigate to PacketTotal.com 3. Create complex searches via our new deep search endpoint.

Read more about how to use our API

Getting started

Using PacketTotal is very easy, before uploading your first pcap consider the below general guidelines.

  • Avoid uploading pcaps on home or work networks.
  • Avoid capturing traffic which can reveal too much information about your environment.
  • Consider using capture filters, to only capture the traffic you wish to analyze/share.
  • Consider capturing pcaps from sandboxed environment.

PacketTotal currently supports pcap and pcapng files generated by produced by tools such as WireShark and tcpdump. The tool will accept any pcap or pcapng file of 50MB or less. If you receive an error on upload, try opening your packet-capture in a tool like WireShark, and saving as a plain pcap file.

If your pcap conforms to the above criteria you are ready to upload. Uploading can be done from practically any page on the site from the navigation bar.

Upload from navigation

The main upload interface however, is found on the homepage. To use, simply drag your pcap or pcapng file into the upload box. If you are viewing from an older browser, dragging may not work, and you can simply click anywhere inside the box to initialize an upload.

Once your packet-capture has been uploaded, you will be prompted to solve a captcha.

Analysis Captcha Challenge

When solved, your packet-capture will be added for a queue to be processed.

That's it, depending on the size of the queue your packet-capture can take anywhere from 30 seconds to 10 minutes to process. When your packet-capture is finished analyzing you will automatically be redirected to the console view. From here you can explore the various protocols found within the capture, and pivot over to similar packet-captures to view other captures similar to the one uploaded.

How it works

Analysis

Underneath the hood, PacketTotal relies on some incredibly powerful open-source solutions to quickly and accurately analyze packet-captures. Foremost among these are Bro and Suricata IDS. Both engines, have their strengths and weaknesses, and PacketTotal leverages both to generate analysis views.

At the highest level, Bro is used to extract common protocols and artifacts from the packet-capture and Suricata, is leveraged primarily for signature based detection of malicious activity. Once an analysis has been completed there are three ways to view your packet-capture.

  • Console view, a table-based view containing your pcap analysis in text.
  • Graph view, which presents your pcap data in graphs and charts.
  • Timeline view, a sequential ordering of every event in your pcap in an interactive display.

Arguably just as important as the actual analysis is the ability to quickly search through that data. Packet-captures can contain all types of data, and during initial design we found a relational database to be inadequate on many levels. Instead of a traditional database, PacketTotal leverages ElasticSearch for storing an retrieving information quickly.

Search takes full advantage of the ElasticSearch backend, and allows you to craft complex Lucene queries to zero-in on the results most relevant to you. If you are interested in some of PacketTotal's more advanced search features check out [Search Builder] to learn how to craft more granular queries.

Starting from either the Search or Recent Uploads pages, the Tags column shows what kind of data PacketTotal's engines determined existed inside that pcap. The tags present here correspond to the tabs visible in the Console view for that packet capture.

How to get to Graph and Timeline view

You can access Console view for any packet capture here by clicking its name. Alternatively, you can click the down arrow next to any of the packet capture names, and go to Graph view, Timeline view, or download the pcap.

How to get to Graph and Timeline view

Whether in Console view, Graph view, or Timeline view for a particular packet capture, a panel will always be present at the top of the view with the file metadata about the pcap you are analyzing, the ability to download that pcap and its artifacts, and a share option.

Panel heading

From Console View, switching to Graph or Timeline view for the packet capture can be done easily by clicking one of the two blue icons to the right.

How to get to Graph and Timeline view via buttons