inactive
369
edits
Forensic pcap Analysis: Difference between revisions
no edit summary
m (David.Griffiths moved page Forensic Pcap Analysis to Forensic pcap Analysis) |
No edit summary |
||
| Line 1: | Line 1: | ||
== Problem == | == Problem == | ||
How can you use the Allegro Network Multimeter for forensic analysis? | How can you use the Allegro Network Multimeter for forensic analysis? | ||
As an example, you would like to process a recorded | As an example, you would like to process a recorded pcap file with the | ||
Allegro Network Multimeter | Allegro Network Multimeter. | ||
== Warning == | == Warning == | ||
The Allegro Network Multimeter will NOT forward, receive or analyze | The Allegro Network Multimeter will NOT forward, receive or analyze | ||
any packets while analyzing pcap files. Traffic forwarding in | any packets while analyzing pcap files. Traffic forwarding in Bridge | ||
mode is not available until the pcap file has been analyzed completely | mode is not available until the pcap file has been analyzed completely | ||
and | and normal operational mode is restored. | ||
You can also use the [[Parallel packet processing]] to enable traffic forwarding and pcap analytics at the same time. | You can also use the [[Parallel packet processing]] to enable traffic forwarding and pcap analytics at the same time. | ||
| Line 17: | Line 17: | ||
allow the extraction of pcap subsets. Simply attach a USB3 disk or, if | allow the extraction of pcap subsets. Simply attach a USB3 disk or, if | ||
installed, use the internal disk as a ring buffer. If it is a USB disk | installed, use the internal disk as a ring buffer. If it is a USB disk | ||
or stick that has not been used before, a popup will be displayed and | or USB stick that has not been used before, a popup will be displayed and | ||
will guide you to format the disk and to set up the ring buffer. | will guide you to format the disk and to set up the ring buffer. | ||
== | == pcap upload == | ||
To use the Allegro Network Multimeter as a forensic analysis tool, navigate | To use the Allegro Network Multimeter as a forensic analysis tool, navigate | ||
to "Generic" -> "Pcap analysis" and press pcap upload. | to "Generic" -> "Pcap analysis" and press pcap upload. | ||
| Line 30: | Line 30: | ||
Here, you can select the pcap file you want to analyze by either dragging it | Here, you can select the pcap file you want to analyze by either dragging it | ||
from your file browser to the drop zone on the page or by clicking into the | from your file browser to the drop zone on the page or by clicking into the | ||
drop zone and selecting it via a file chooser | drop zone and selecting it via a file chooser dialogue. | ||
After a file is selected, click the "Upload and analyze pcap" button. A new | After a file is selected, click the "Upload and analyze pcap" button. A new | ||
modal | modal dialogue will open: | ||
{| | {| | ||
| Line 39: | Line 39: | ||
|} | |} | ||
Carefully read the warnings and consider if you want to use the capture | |||
ring buffer. | ring buffer. | ||
If you activate the capture ring buffer, it is easy to extract certain parts of | If you activate the capture ring buffer, it is easy to extract certain parts of | ||
the pcap using | the pcap using the Allegro Network Multimeter measurement modules. All | ||
pcap download buttons will extract the specified parts as with live network | pcap download buttons will extract the specified parts as with live network | ||
traffic. | traffic. | ||
After starting confirming the | After starting confirming the dialogue, the upload will begin. | ||
{| | {| | ||
| | | | ||
| Line 53: | Line 53: | ||
|} | |} | ||
The table at the bottom of the page will | The table at the bottom of the page will indicate the upload progress. Even with | ||
upload still in progress, you can switch to | the upload still in progress, you can switch to another measurement module and | ||
investigate the contents of the pcap file. | investigate the contents of the pcap file. | ||