Forensic pcap Analysis

From Allegro Network Multimeter Manual
Jump to navigation Jump to search

Problem

How can you use the Allegro Network Multimeter for forensic analysis? As an example, you would like to process a recorded pcap file with the Allegro Network Multimeter.

Note

By default, when in bridge mode (in-line), the Allegro Network Multimeter will NOT forward or process any network traffic while loading a pcap file for analysis. In other words, A network Link will go down until pcap analysis is finished and normal operational mode is restored.

This can be resolved by enabling our Parallel packet processing feature. This allows for normal operation and pcap analytics at the same time.

Because of varying Allegro Network Multimeter user/usage scenarios and reserved memory allocation, this feature is disabled by default.

Preparation

The preparation of the Allegro Network Multimeter is very simple. We recommend to use this feature with an activated ring buffer to allow the extraction of pcap subsets. Simply attach a USB3 disk or, if installed, use the internal disk as a ring buffer. If it is a USB disk or USB stick that has not been used before, a popup will be displayed and will guide you to format the disk and to set up the ring buffer.

pcap upload

To use the Allegro Network Multimeter as a forensic analysis tool, navigate to "Generic" -> "Pcap analysis".

Forensic pcap analysis dash.png

Here, you can select the pcap file you want to analyze by either dragging it from your file browser to the drop zone on the page or by clicking into the drop zone and selecting it via a file chooser dialogue.

Forensic pcap analysis module.png

After a file is selected, click the "Analyze PCAP" button. One of two new modal dialogues will open:

Case one, when parallel packet processing is not activated:

Pcap-upload-2.png

If you want to keep processing and forwarding packets while analysing the PCAP then consider enabling the Parallel packet processing feature.


Case two, when parallel packets processing is activated:

Forensic pcap analysis parallel processing.png

Meaning of each setting:

Slot: Choose the replay slot the analysis should run at.

Storage Device: Choose the storage device, where the PCAP-file will be uploaded to. Using the Packet ring buffer enables you to re-download the packets later.

Stop if DB full: When enabled will automatically stop the PCAP upload, if the in-memory DB is full. Packets will be lost if the DB is exceeded, while this option is not enabled.



If you activate the capture ring buffer, it is easy to extract certain parts of the pcap using the Allegro Network Multimeter measurement modules. All pcap download buttons will extract the specified data as with a live network traffic.


After starting confirming the dialogue, the upload will begin.

Forensic pcap analysis finish upload.png

The table at the bottom of the page will indicate the upload progress. Even with an upload still in progress, you can switch to another measurement module and investigate the contents of the pcap file.

When the upload is finished, other statistics in the Allegro Network Multimeter will now show data from this pcap-file.

To return to the live data analysis, simply press the 'Finish replay' button.

Retrieved from "https://allegro-packets.com/wiki/index.php?title=Forensic_pcap_Analysis&oldid=5104"