70
edits
Forensic pcap Analysis: Difference between revisions
no edit summary
Remco.derooy (talk | contribs) No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
Allegro Network Multimeter. | Allegro Network Multimeter. | ||
== | == Note == | ||
By default, when in bridge mode (in-line), the Allegro Network Multimeter will NOT forward or process any network traffic while loading a pcap file for analysis. In other words, A network Link will go down until pcap analysis is finished and normal operational mode is restored. | By default, when in bridge mode (in-line), the Allegro Network Multimeter will NOT forward or process any network traffic while loading a pcap file for analysis. In other words, A network Link will go down until pcap analysis is finished and normal operational mode is restored. | ||
| Line 21: | Line 21: | ||
== pcap upload == | == pcap upload == | ||
To use the Allegro Network Multimeter as a forensic analysis tool, navigate | To use the Allegro Network Multimeter as a forensic analysis tool, navigate | ||
to "Generic" -> "Pcap analysis" | to "Generic" -> "Pcap analysis". | ||
{| | {| | ||
| [[File: | | [[File:Forensic_pcap_analysis_dash.png|1000px|thumb|right]] | ||
|} | |} | ||
| Line 31: | Line 31: | ||
drop zone and selecting it via a file chooser dialogue. | drop zone and selecting it via a file chooser dialogue. | ||
After a file is selected, click the " | {| | ||
modal | | [[File:Forensic_pcap_analysis_module.png|1000px|thumb|right]] | ||
|} | |||
After a file is selected, click the "Analyze PCAP" button. One of two new modal dialogues will open: | |||
'''Case one''', when parallel packet processing is not activated: | |||
{| | {| | ||
| Line 38: | Line 43: | ||
|} | |} | ||
If you want to keep processing and forwarding packets while analysing the PCAP then consider enabling the Parallel packet processing feature. | |||
ring buffer. | |||
'''Case two''', when parallel packets processing is activated: | |||
{| | |||
| [[File:Forensic_pcap_analysis_parallel_processing.png|600px|thumb|right]] | |||
|} | |||
'''Meaning of each setting:''' | |||
'''Slot:''' Choose the replay slot the analysis should run at. | |||
'''Storage Device:''' Choose the storage device, where the PCAP-file will be uploaded to. | |||
'''Stop if DB full:''' When enabled will automatically stop the PCAP upload, if the DB is full. | |||
If one of the warnings, that may appear, makes you avoid using the analysis, consider using the capture ring buffer. | |||
If you activate the capture ring buffer, it is easy to extract certain parts of | If you activate the capture ring buffer, it is easy to extract certain parts of | ||
| Line 45: | Line 69: | ||
pcap download buttons will extract the specified data as with a live network | pcap download buttons will extract the specified data as with a live network | ||
traffic. | traffic. | ||
After starting confirming the dialogue, the upload will begin. | After starting confirming the dialogue, the upload will begin. | ||
{| | |||
| | {| | ||
[[File: | | [[File:Forensic_pcap_analysis_finish_upload.png|1000px|thumb|right]] | ||
|} | |} | ||
| Line 55: | Line 81: | ||
an upload still in progress, you can switch to another measurement module and | an upload still in progress, you can switch to another measurement module and | ||
investigate the contents of the pcap file. | investigate the contents of the pcap file. | ||
When the upload is finished, all other modules in the Allegro Network Multimeter will now show data from this pcap-file. | |||
To return to the live data analysis, simply press the 'Finish replay' button. | |||