Forensic pcap Analysis: Difference between revisions
(Created page with "== ''' Problem''' == ------- How can you use the *Allegro Network Multimeter* for forensic analysis? As an example, you would like to process a recorded Pcap file with the *A...") |
No edit summary |
||
| (19 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
== | == Problem == | ||
How can you use the Allegro Network Multimeter for forensic analysis? | |||
As an example, you would like to process a recorded pcap file with the | |||
Allegro Network Multimeter. | |||
== Note == | |||
By default, when in bridge mode (in-line), the Allegro Network Multimeter will NOT forward or process any network traffic while loading a pcap file for analysis. In other words, A network Link will go down until pcap analysis is finished and normal operational mode is restored. | |||
'''This can be resolved''' by enabling our [[Parallel packet processing]] feature. This allows for normal operation and pcap analytics at the same time. | |||
Because of varying Allegro Network Multimeter user/usage scenarios and reserved memory allocation, this feature is disabled by default. | |||
== Preparation == | |||
The preparation of the Allegro Network Multimeter is very simple. | |||
We recommend to use this feature with an activated ring buffer to | |||
allow the extraction of pcap subsets. Simply attach a USB3 disk or, if | |||
installed, use the internal disk as a ring buffer. If it is a USB disk | |||
or USB stick that has not been used before, a popup will be displayed and | |||
will guide you to format the disk and to set up the ring buffer. | |||
== pcap upload == | |||
To use the Allegro Network Multimeter as a forensic analysis tool, navigate | |||
to "Generic" -> "Pcap analysis". | |||
{| | |||
| [[File:Forensic_pcap_analysis_dash.png|1000px|thumb|right]] | |||
|} | |||
Here, you can select the pcap file you want to analyze by either dragging it | |||
from your file browser to the drop zone on the page or by clicking into the | |||
drop zone and selecting it via a file chooser dialogue. | |||
{| | |||
| [[File:Forensic_pcap_analysis_module.png|1000px|thumb|right]] | |||
|} | |||
After a file is selected, click the "Analyze PCAP" button. One of two new modal dialogues will open: | |||
'''Case one''', when parallel packet processing is not activated: | |||
{| | |||
| [[File:Pcap-upload-2.png|600px|thumb|right]] | |||
|} | |||
If you want to keep processing and forwarding packets while analysing the PCAP then consider enabling the Parallel packet processing feature. | |||
'''Case two''', when parallel packets processing is activated: | |||
{| | |||
| [[File:Forensic_pcap_analysis_parallel_processing.png|600px|thumb|right]] | |||
|} | |||
'''Meaning of each setting:''' | |||
'''Slot:''' Choose the replay slot the analysis should run at. | |||
.. | '''Storage Device:''' Choose the storage device, where the PCAP-file will be uploaded to. Using the [[Packet ring buffer]] enables you to re-download the packets later. | ||
'''Stop if DB full:''' When enabled will automatically stop the PCAP upload, if the in-memory DB is full. Packets will be lost if the DB is exceeded, while this option is not enabled. | |||
If you activate the capture ring buffer, it is easy to extract certain parts of | If you activate the capture ring buffer, it is easy to extract certain parts of | ||
the pcap using the | the pcap using the Allegro Network Multimeter measurement modules. All | ||
pcap download buttons will extract the specified | pcap download buttons will extract the specified data as with a live network | ||
traffic. | traffic. | ||
The table at the bottom of the page will | After starting confirming the dialogue, the upload will begin. | ||
upload still in progress, you can switch to | |||
{| | |||
| [[File:Forensic_pcap_analysis_finish_upload.png|1000px|thumb|right]] | |||
|} | |||
The table at the bottom of the page will indicate the upload progress. Even with | |||
an upload still in progress, you can switch to another measurement module and | |||
investigate the contents of the pcap file. | investigate the contents of the pcap file. | ||
. | When the upload is finished, other statistics in the Allegro Network Multimeter will now show data from this pcap-file. | ||
To return to the live data analysis, simply press the 'Finish replay' button. | |||
Latest revision as of 06:25, 23 May 2025
Problem
How can you use the Allegro Network Multimeter for forensic analysis? As an example, you would like to process a recorded pcap file with the Allegro Network Multimeter.
Note
By default, when in bridge mode (in-line), the Allegro Network Multimeter will NOT forward or process any network traffic while loading a pcap file for analysis. In other words, A network Link will go down until pcap analysis is finished and normal operational mode is restored.
This can be resolved by enabling our Parallel packet processing feature. This allows for normal operation and pcap analytics at the same time.
Because of varying Allegro Network Multimeter user/usage scenarios and reserved memory allocation, this feature is disabled by default.
Preparation
The preparation of the Allegro Network Multimeter is very simple. We recommend to use this feature with an activated ring buffer to allow the extraction of pcap subsets. Simply attach a USB3 disk or, if installed, use the internal disk as a ring buffer. If it is a USB disk or USB stick that has not been used before, a popup will be displayed and will guide you to format the disk and to set up the ring buffer.
pcap upload
To use the Allegro Network Multimeter as a forensic analysis tool, navigate to "Generic" -> "Pcap analysis".
Here, you can select the pcap file you want to analyze by either dragging it from your file browser to the drop zone on the page or by clicking into the drop zone and selecting it via a file chooser dialogue.
After a file is selected, click the "Analyze PCAP" button. One of two new modal dialogues will open:
Case one, when parallel packet processing is not activated:
If you want to keep processing and forwarding packets while analysing the PCAP then consider enabling the Parallel packet processing feature.
Case two, when parallel packets processing is activated:
Meaning of each setting:
Slot: Choose the replay slot the analysis should run at.
Storage Device: Choose the storage device, where the PCAP-file will be uploaded to. Using the Packet ring buffer enables you to re-download the packets later.
Stop if DB full: When enabled will automatically stop the PCAP upload, if the in-memory DB is full. Packets will be lost if the DB is exceeded, while this option is not enabled.
If you activate the capture ring buffer, it is easy to extract certain parts of
the pcap using the Allegro Network Multimeter measurement modules. All
pcap download buttons will extract the specified data as with a live network
traffic.
After starting confirming the dialogue, the upload will begin.
The table at the bottom of the page will indicate the upload progress. Even with an upload still in progress, you can switch to another measurement module and investigate the contents of the pcap file.
When the upload is finished, other statistics in the Allegro Network Multimeter will now show data from this pcap-file.
To return to the live data analysis, simply press the 'Finish replay' button.