Forensic pcap Analysis

Problem

How can you use the Allegro Network Multimeter for forensic analysis? As an example, you would like to process a recorded pcap file with the Allegro Network Multimeter.

Warning

The Allegro Network Multimeter will NOT forward, receive or analyze any packets while analyzing pcap files. Traffic forwarding in Bridge mode is not available until the pcap file has been analyzed completely and normal operational mode is restored.

You can also use Parallel packet processing to enable traffic forwarding and pcap analytics at the same time.

Preparation

The preparation of the Allegro Network Multimeter is very simple. We recommend to use this feature with an activated ring buffer to allow the extraction of pcap subsets. Simply attach a USB3 disk or, if installed, use the internal disk as a ring buffer. If it is a USB disk or USB stick that has not been used before, a popup will be displayed and will guide you to format the disk and to set up the ring buffer.

pcap upload

To use the Allegro Network Multimeter as a forensic analysis tool, navigate to "Generic" -> "Pcap analysis" and press pcap upload.

Here, you can select the pcap file you want to analyze by either dragging it from your file browser to the drop zone on the page or by clicking into the drop zone and selecting it via a file chooser dialogue.

After a file is selected, click the "Upload and analyze pcap" button. A new modal dialogue will open:

Carefully read the warnings and consider if you want to use the capture ring buffer.

If you activate the capture ring buffer, it is easy to extract certain parts of the pcap using the Allegro Network Multimeter measurement modules. All pcap download buttons will extract the specified data as with a live network traffic.

After starting confirming the dialogue, the upload will begin.

The table at the bottom of the page will indicate the upload progress. Even with an upload still in progress, you can switch to another measurement module and investigate the contents of the pcap file.