caploader manual
TRANSCRIPT
-
7/29/2019 CapLoader Manual
1/4
NETRESEC CapLoader Reference Manual PA3
CapLoaderReference Manual
- 1 -
NETRESEC
-
7/29/2019 CapLoader Manual
2/4
NETRESEC CapLoader Reference Manual PA3
Overview of FunctionalityCapLoader is designed to handle large amounts of captured network traffic in thetcpdump/libpcap format (PCAP). CapLoader displays the contents of opened PCAPfiles as a list of TCP and UDP flows. Users can select the flows of interest and quicklyfilter out those packets from the loaded PCAP files. Opening the selectedflows/packets in a packet analyzer tool like Wireshark or NetworkMiner is then just amouse click away.
The typical process of working with CapLoader is:
1. Open one or multiple pcapfiles, typically by drag-and-dropping them onto theCapLoader GUI.
2. Select/mark the flows ofinterest.
3. Double click the PCAP-icon toopen the selected sessions in
your default pcap parser(typically Wireshark) or better
yet, do drag-and-drop from thePCAP-icon to any application
you wish.
Loading PCAP filesPCAP files can be loaded by selecting File > Load from the menu, but a better way todo it is to select one or multiple pcap files in a directory and then drag-and-drop themonto the CapLoader GUI. You can also drop a whole folder onto CapLoader in order toload all PCAP files contained in the folder.
- 2 -
-
7/29/2019 CapLoader Manual
3/4
NETRESEC CapLoader Reference Manual PA3
Selecting Flows of Interest
Opening Selected FlowsSelecting one or multiple flows causes CapLoader to filter out the individual packets(frames) for these flows and making them available for export as a new PCAP file. ThePCAP icon in the top-right of the GUI can be used to open the filtered frames in any ofthe following ways:
Double-click the PCAP icon to open the frames withthe default PCAP viewer (typically Wireshark).
Drag-and-drop from the PCAP icon to any Packet
analyzer of your choice (we recommendNetworkMiner).
Drag-and-drop the PCAP icon to a folder to export the filtered PCAP file to disk.
Right-click the PCAP icon and select a tool to open the PCAP file with.
1 Supported formats include Snort alert log and Bro IDS log
2 Supported formats include iptables format
3 Supported formats include Argus output, Bro connection logs and tshark conversation lists
- 3 -
-
7/29/2019 CapLoader Manual
4/4
NETRESEC CapLoader Reference Manual PA3
Protocol IdentificationCapLoader includes the ability toidentify protocols without relying onport numbers4. This feature can beenabled by checking the Identifyprotocols check-box in the GUI.Loading PCAP files with the identifyprotocols feature enabled will causethe application layer protocols of theextracted flows to be identified anddisplayed in the flow list. Being ableto identify the application layerprotocol is important in order todetect what services that run on non-standard ports as well as to detect ifcommon ports5 are being used totransport other protocols than whatmight be expected.
The protocol identification feature is based on the SPID algorithm, which wasdeveloped by Erik Hjelmvik with initial funding from the Swedish InternetInfrastructure Foundation (.SE).
The CapLoader USB flash driveCapLoader is delivered on a customizedUSB flash drive. CapLoader is a portableapplication, which means that it doesn'trequire any installation and can be rundirectly from the USB flash drive. Ourrecommendation is, however, that you copy
the CapLoader directory to your local harddrive and run it from there for improvedperformance. It is up to you to decide if you
will copy CapLoader to your computer'sdesktop, put it in your Program Filesdirectory or place it in the root of yourfavorite HDD partition.
4 Also known as Port Independent Protocol Identification (PIPI) or Traffic Classification
5 For example UDP 53 (DNS), TCP 80 (HTTP) or TCP 443 (SSL)
- 4 -