Console View

Console view is the backbone of PacketTotal. When you upload your pcap file, PacketTotal uses Bro, Suricata, and its own proprietary algorithms to analyze its contents. PacketTotal then generates a tabbed display based on what it understood from your packet capture. Below is an example of the tabs generated for a sample pcap.:

Example of table generated from a sample pcap

A description of every possible tab generated (Malicious Activity, Suspicious Actiivity, DNS, SSH, SMTP, etc.) can be found here. Some of the most important ones, and some specific to PacketTotal, include:

Intelligence

The Intelligence tab finds any item from the Malicious Activity log that has had a blog post, article, paper, or any other form of research from the intel community written about it. Intelligence then provides a link to the resource that examined that malicious indicator.

Below is an example of Intelligence finding specific articles about one of the malicious HTTP hostnames that appeared in the packet capture.

Intelligence finding articles related to a malicious hostname

Similar Packet Captures

PacketTotal uses a backend algorithm to search through every pcap it ever analyzed and returns all pcaps that are similar to the on being examined. A "similar" pcap may have indicators in common such as a query to a specific malicious domain name, a common destination IP, the same malicious file being passed through the network traffic, etc.

PacketTotal not only returns all similar .pcaps, but also ranks the relative strengths of each match. It also tells you exactly which indicators the packet captures had in common, as seen below.

Similar packet captures

All logs generated

  • Malicious Activity
  • Suspicious Acitivity
  • Intelligence
  • Similar Packet Captures
  • Connections
  • DHCP
  • DNP3
  • DNS
  • FTP
  • HTTP
  • IRC
  • Modbus
  • MySQL
  • RDP
  • SIP
  • SMTP
  • SNMP
  • SSH
  • Syslog
  • Kerberos
  • Radius
  • SSL Certificates
  • PKI (X.509)
  • Transferred Files
  • Extracted Executable Files
  • SOCKS
  • Tunnels
  • Recognized Software
  • Dynamic Protocol Detection
  • Modbus Registers
  • Modbus Hosts
  • Strange Activity