NetFort Advertising

PCAP File Analysis and Extraction Using LANGuardian

23 November 2018 NetFort Blog By: Darragh Delaney
PCAP File Analysis

Working With PCAP Files

PCAP or packet capture files can be extracted from the network by using applications such as Wireshark or exporting them from network devices such as firewalls. They contain one or more network packets which can be used for troubleshooting network or application problems.

While they are useful for troubleshooting a very focused event, they can become difficult to work with if you capture traffic from multiple network devices. You may end up with millions of network packets which can be very time consuming if you try and review each one.

PCAP Features of LANGuardian

Capturing network metadata is an ideal approach when it comes to handling large packet captures. Just capture the human readable bits like IP address or SMB filename and discard the rest of the packet data. This is the approach we have used in our LANGuardian product for many years.

However, when reviewing customer feature requests, we noticed that a few had requested direct access to the traffic on the actual SPAN/mirror port or TAP connected to the LANGuardian. When we asked why the response made perfect sense:

Sometimes when troubleshooting issues we need to direct access to all the traffic to get to the detail and proof we need. So we usually  take a packet capture and analyze it with tools like Wireshark.

Instead of grabbing a laptop, going down to the server room plugging it into the correct location, why not use our LANGuardian sensors? You guys are already connected and have access to the traffic across our network, we would like to use your sensors to take a PCAP very easily when we need to.

A simple request, took some effort to implement but has been very well received. Even this week for example I was on a call with a prospect who was using our LANGuardian and our GEO IP reports had spotted a machine on his network trying to make a connection to a server in China. He reckoned it was probably a bug in our software and said ‘Let me get my laptop and take a PCAP’. I  immediately told him that we can do it immediately using the LANGuardian.

He took the PCAP, we analyzed it, it had the same strange IP address and it verified our LANGuardian reports. Turns out that a well knows security appliance was making the connection request for some reason and he immediately contacted them.  Interesting use case which also shows how important it is to have ‘eye on the traffic’ everywhere and have easy access to the traffic.

Extracting PCAP files from LANGuardian

You can extract network packets with or without filters by using the PCAP File Management page. To extract network packets, you must follow these steps:

  1. Choose a network interface to capture packets from. It can be a local interface or an interface on a remote LANGuardian sensor.
  2. The filter field is optional. Common examples would be:
    • host 10.1.1.100 – which captures all traffic associated with 10.1.1.100
    • host 10.1.1.100 and port 80 and port 25. Traffic associated with host 10.1.1.100 can be captured on ports 80 and 25.
    • Further examples can be found on this wireshark wiki page
  3. When it comes to the number of packets, choose a small value like 100 initially. The more packets you capture, the larger the PCAP file.
  4. Choose a file name. Be sure to use the .PCAP extension if you want applications like Wireshark to recognize them.

The video below shows an example of this feature in use:

Importing PCAP files into LANGuardian

PCAP files can be sourced from many applications and systems. The most popular would be standalone applications like Wireshark or extracted directly from firewall appliances. If you capture traffic for an extended period or from a SPAN or mirror port, they can be large and take time to analyze if you go through one packet at a time.

You can import a PCAP file from any source into LANGuardian. Once the file is imported, it is sent to an IDS and traffic analysis application. The steps involved to import and view the data are:

  1. Log onto your LANGuardian instance and click on the gear symbol on the top right. Select PCAPs
  2. Choose the option to
  3. Upload your PCAP file and then click on Process
  4. Click on reports and select Applications in Use. This will show what application activity was captured within the PCAP.
  5. From the sensor drop down, select your PCAP sensor and then run the report
  6. You can repeat the process with the Top Network Events report to check for any Malware or suspicious activity within the PCAP

The video above goes through this process. PCAP import section starts at 3:40.

If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with a member from our technical support team.