Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

Does anyone know of useful tools to summarise a pcap file? And even better, to query it and extract certain chosen subsets of information from it. Needs to speak IPv6.

Essential : Would either have to be an app to run on an iPad, or be something web-based. (Because of my poor health I don't have access to a PC at the moment.)

[AArdvark]

Here is a link that shows how to manipulate pcap files on a command line.
You could use the output with grep (for simple searches) or awk or sed (for 'all out' text manipulation) to 'filter out' whatever you wanted.
Not sure what you can do from IOS commandline ??
http://serverfault.com/questions/38626/how-can-i-read-pcap-files-in-a-friendly-format#

[licquorice]

Is this any good to you? https://www.cloudshark.org/  Haven't tried it so can't comment.

[AArdvark]

Is this any good to you? https://www.cloudshark.org/  Haven't tried it so can't comment.

This is from their FAQ ......

I have security policies to comply with. Is CloudShark secure?

CloudShark operates over proven authentication and encryption protocols, and uses best practices for securing web applications. QA Cafe does not, however, guarantee the security of any captures uploaded to CloudShark.org. Uploads to CloudShark.org are considered “at your own risk”. Please review our terms of service for more information.

I think the 'Free' service is a way to collect lots of captures to test their software on. (The 1st and least scary use for your captures I could think of. )
Fair enough if the 'risks' are not an issue.
i.e. the captures do not contain anything you would like to be 'secret', whatever that may mean!!. 

[Weaver]

The cloud shark thing looks like a good tool. It decides traffic and presents it nicely. I'll have to dig into it further to find out whether it can actually summarise things.

Andrews and Arnold can do a packet capture for me and decode it (tcpdump or similar) outputting it as a fairly overwhelming amount of not-very-friendly ascii. What I would really like to see is a dramatically reduced amount of data, who are the communicants, what protocols are in use, do DNS lookups perhaps, assign names to/enumerate nameless addresses. That kind of thing. Where there is a huge amount going on, bring it down to a readable amount of information. Spotting scans would be nice too.

[Bowdon]

I'm not sure if your still looking looking for a program. I've noticed when doing my investigations in to my swann camera issues I noticed they install winpcap. Also mentioned when I was looking things up on google is a program called wireshark.

I'm not sure what the difference is between cloudshark and wireshark though. https://www.wireshark.org/

[licquorice]

Wireshark is used to capture the data, cloud shark is used to analyse it.

[Weaver]

I haven't had a go with it yet, but cloudshark has potential because it's web based, and it wanted something that I could use with an iPad or an iPad app, and this avoids the o/s installation problem.

[licquorice]

Yes, forget the web based requirement.

[aesmith]

Wireshark is used to capture the data, cloud shark is used to analyse it.

Wireshark can decode and analyse a .pcap file.   On Windows you can install a "portable" version, without the winpcap drivers, if all you need to do is view files that have been collected elsewhere.