Forensic pcap Analysis: Difference between revisions

Problem

How can you use the Allegro Network Multimeter for forensic analysis? As an example, you would like to process a recorded Pcap file with the Allegro Network Multimeter in the lab.

Warning

The Allegro Network Multimeter will NOT forward, receive or analyze any packets while analyzing pcap files. Traffic forwarding in bridge mode is not available until the pcap file has been analyzed completely and the normal operation mode is restored.

Preparation

The preparation of the Allegro Network Multimeter is very simple. We recommend to use this feature with an activated ring buffer to allow the extraction of pcap subsets. Simply attach a USB3 disk or, if installed, use the internal disk as a ring buffer. If it is a USB disk or stick that has not been used before, a popup will be displayed and will guide you to format the disk and to set up the ring buffer.

Pcap upload

To use the Allegro Network Multimeter as a forensic analysis tool, navigate to "Generic" -> "Pcap analysis" and press pcap upload.

Here, you can select the pcap file you want to analyze by either dragging it from your file browser to the drop zone on the page or by clicking into the drop zone and selecting it via a file chooser dialog.

After a file is selected, click the "Upload and analyze pcap" button. A new modal dialog will open:

Please carefully read the warnings and consider if you want to use the capture ring buffer.

If you activate the capture ring buffer, it is easy to extract certain parts of the pcap using the measurement modules of the Allegro Network Multimeter. All pcap download buttons will extract the specified parts as with live network traffic.

After starting confirming the dialog, the upload will start

The table at the bottom of the page will show you the upload progress. Even with upload still in progress, you can switch to some measurement module and investigate the contents of the pcap file.