Forensic pcap Analysis
Problem
How can you use the Allegro Network Multimeter for forensic analysis? As an example, you would like to process a recorded pcap file with the Allegro Network Multimeter.
Warning
By default, when in bridge mode (in-line), the Allegro Network Multimeter will NOT forward or process any network traffic while loading a pcap file for analysis. In other words, A network Link will go down until pcap analysis is finished and normal operational mode is restored.
This can be resolved by enabling our Parallel packet processing feature. This allows for normal operation and pcap analytics at the same time.
Because of varying Allegro Network Multimeter user/usage scenarios and reserved memory allocation, this feature is disabled by default.
Preparation
The preparation of the Allegro Network Multimeter is very simple. We recommend to use this feature with an activated ring buffer to allow the extraction of pcap subsets. Simply attach a USB3 disk or, if installed, use the internal disk as a ring buffer. If it is a USB disk or USB stick that has not been used before, a popup will be displayed and will guide you to format the disk and to set up the ring buffer.
pcap upload
To use the Allegro Network Multimeter as a forensic analysis tool, navigate to "Generic" -> "Pcap analysis" and press pcap upload.
Here, you can select the pcap file you want to analyze by either dragging it from your file browser to the drop zone on the page or by clicking into the drop zone and selecting it via a file chooser dialogue.
After a file is selected, click the "Upload and analyze pcap" button. A new modal dialogue will open:
Carefully read the warnings and consider if you want to use the capture ring buffer.
If you activate the capture ring buffer, it is easy to extract certain parts of the pcap using the Allegro Network Multimeter measurement modules. All pcap download buttons will extract the specified data as with a live network traffic.
After starting confirming the dialogue, the upload will begin.
The table at the bottom of the page will indicate the upload progress. Even with an upload still in progress, you can switch to another measurement module and investigate the contents of the pcap file.