Console View

The console view is the backbone of PacketTotal. When you upload your packet-capture it is analyzed using both Bro and Suricata, as well as intelligence gathering and correlation algorithms. The console then presents a tabbed display containing a high-level view of traffic extracted from a packet-capture.

Example of table generated from a sample pcap

A list of every possible tab generated can be found here.

Special Logs

Intelligence

The Intelligence tab contains information extracted by PacketTotal's intel correlation engine. Using high-fidelity indicators extracted from malicious activity, PacketTotal passively locates available intelligence about these indicators from trusted sources. This can include links to blog posts, articles about a particular variant of malware, or analysis summary provided by another engine.

Below is an example of Intelligence finding specific articles about one of the malicious HTTP hostnames that appeared in the packet capture.

Intelligence finding articles related to a malicious hostname

Similar Packet Captures

Traditional search is good for many use-cases, but there may be certain scenarios where you simply wish to find packet-captures similar to one you uploaded. The Similar Packet Capture tab allows you to search through every packet-capture ever analyzed and returns all pcaps that are similar to the one being examined. A similar packet-capture must have at-least one attribute in common with the current packet-capture, such as a query to a specific malicious domain name, a common destination IP, or file hash.

In this view all similar .pcaps, are ranked by the number of similar attributes they have with the packet-capture currently being examined. Clicking on the match-bar will enumerate all terms shared between the two packet-captures. Similar packet captures

All logs generated

  • Malicious Activity
  • Suspicious Acitivity
  • Intelligence
  • Similar Packet Captures
  • Connections
  • DHCP
  • DNP3
  • DNS
  • FTP
  • HTTP
  • IRC
  • Modbus
  • MySQL
  • RDP
  • SIP
  • SMTP
  • SNMP
  • SSH
  • Syslog
  • Kerberos
  • Radius
  • SSL Certificates
  • PKI (X.509)
  • Transferred Files
  • Extracted Executable Files
  • SOCKS
  • Tunnels
  • Recognized Software
  • Dynamic Protocol Detection
  • Modbus Registers
  • Modbus Hosts
  • Strange Activity