Forensic pcap Analysis: Difference between revisions
m (David.Griffiths moved page Forensic Pcap Analysis to Forensic pcap Analysis) |
No edit summary |
||
| Line 1: | Line 1: | ||
== Problem == | == Problem == | ||
How can you use the Allegro Network Multimeter for forensic analysis? | How can you use the Allegro Network Multimeter for forensic analysis? | ||
As an example, you would like to process a recorded | As an example, you would like to process a recorded pcap file with the | ||
Allegro Network Multimeter | Allegro Network Multimeter. | ||
== Warning == | == Warning == | ||
The Allegro Network Multimeter will NOT forward, receive or analyze | The Allegro Network Multimeter will NOT forward, receive or analyze | ||
any packets while analyzing pcap files. Traffic forwarding in | any packets while analyzing pcap files. Traffic forwarding in Bridge | ||
mode is not available until the pcap file has been analyzed completely | mode is not available until the pcap file has been analyzed completely | ||
and | and normal operational mode is restored. | ||
You can also use the [[Parallel packet processing]] to enable traffic forwarding and pcap analytics at the same time. | You can also use the [[Parallel packet processing]] to enable traffic forwarding and pcap analytics at the same time. | ||
| Line 17: | Line 17: | ||
allow the extraction of pcap subsets. Simply attach a USB3 disk or, if | allow the extraction of pcap subsets. Simply attach a USB3 disk or, if | ||
installed, use the internal disk as a ring buffer. If it is a USB disk | installed, use the internal disk as a ring buffer. If it is a USB disk | ||
or stick that has not been used before, a popup will be displayed and | or USB stick that has not been used before, a popup will be displayed and | ||
will guide you to format the disk and to set up the ring buffer. | will guide you to format the disk and to set up the ring buffer. | ||
== | == pcap upload == | ||
To use the Allegro Network Multimeter as a forensic analysis tool, navigate | To use the Allegro Network Multimeter as a forensic analysis tool, navigate | ||
to "Generic" -> "Pcap analysis" and press pcap upload. | to "Generic" -> "Pcap analysis" and press pcap upload. | ||
| Line 30: | Line 30: | ||
Here, you can select the pcap file you want to analyze by either dragging it | Here, you can select the pcap file you want to analyze by either dragging it | ||
from your file browser to the drop zone on the page or by clicking into the | from your file browser to the drop zone on the page or by clicking into the | ||
drop zone and selecting it via a file chooser | drop zone and selecting it via a file chooser dialogue. | ||
After a file is selected, click the "Upload and analyze pcap" button. A new | After a file is selected, click the "Upload and analyze pcap" button. A new | ||
modal | modal dialogue will open: | ||
{| | {| | ||
| Line 39: | Line 39: | ||
|} | |} | ||
Carefully read the warnings and consider if you want to use the capture | |||
ring buffer. | ring buffer. | ||
If you activate the capture ring buffer, it is easy to extract certain parts of | If you activate the capture ring buffer, it is easy to extract certain parts of | ||
the pcap using | the pcap using the Allegro Network Multimeter measurement modules. All | ||
pcap download buttons will extract the specified parts as with live network | pcap download buttons will extract the specified parts as with live network | ||
traffic. | traffic. | ||
After starting confirming the | After starting confirming the dialogue, the upload will begin. | ||
{| | {| | ||
| | | | ||
| Line 53: | Line 53: | ||
|} | |} | ||
The table at the bottom of the page will | The table at the bottom of the page will indicate the upload progress. Even with | ||
upload still in progress, you can switch to | the upload still in progress, you can switch to another measurement module and | ||
investigate the contents of the pcap file. | investigate the contents of the pcap file. | ||
Revision as of 12:00, 27 April 2020
Problem
How can you use the Allegro Network Multimeter for forensic analysis? As an example, you would like to process a recorded pcap file with the Allegro Network Multimeter.
Warning
The Allegro Network Multimeter will NOT forward, receive or analyze any packets while analyzing pcap files. Traffic forwarding in Bridge mode is not available until the pcap file has been analyzed completely and normal operational mode is restored.
You can also use the Parallel packet processing to enable traffic forwarding and pcap analytics at the same time.
Preparation
The preparation of the Allegro Network Multimeter is very simple. We recommend to use this feature with an activated ring buffer to allow the extraction of pcap subsets. Simply attach a USB3 disk or, if installed, use the internal disk as a ring buffer. If it is a USB disk or USB stick that has not been used before, a popup will be displayed and will guide you to format the disk and to set up the ring buffer.
pcap upload
To use the Allegro Network Multimeter as a forensic analysis tool, navigate to "Generic" -> "Pcap analysis" and press pcap upload.
Here, you can select the pcap file you want to analyze by either dragging it from your file browser to the drop zone on the page or by clicking into the drop zone and selecting it via a file chooser dialogue.
After a file is selected, click the "Upload and analyze pcap" button. A new modal dialogue will open:
Carefully read the warnings and consider if you want to use the capture ring buffer.
If you activate the capture ring buffer, it is easy to extract certain parts of the pcap using the Allegro Network Multimeter measurement modules. All pcap download buttons will extract the specified parts as with live network traffic.
After starting confirming the dialogue, the upload will begin.
The table at the bottom of the page will indicate the upload progress. Even with the upload still in progress, you can switch to another measurement module and investigate the contents of the pcap file.