The CyberSift Packet Capture Parser — Intro
One of the most frequent questions we get is how to extract information from a Wireshark packet capture, such as the bandwidth used:
Wireshark has various built in tools that help you to extract this information, however we decided to take this a step further, and extract information such as known bad IP addresses, DNS queries, and very simple statistical anomaly analysis, besides the amount of bandwidth used. This would allow us to showcase a bit of the work we do at CyberSift, how CyberSift could be useful to your Security Operations Center. To this end we’re launching a free online service where you can upload a standard pcap file, and extract data from this packet capture, presented in easy to understand visualizations.
The service can be found at https://pcap-parser.cybersift.io, and in the screencast below I give a 10-minute overview of using the system:
In this article series we’ll explore in a bit more depth the features of the PCAP Parser, why we included them and how you can use them to your advantage in your investigations. A few things of note:
- You do require a Google account to access the system.
- Only packet capture of up to 10MB are accepted
- Only packet captures of type “.pcap” are accepted, as opposed to “.pcapng” or similar
- We’re running the system on limited resources, so it may take a while for your packet capture to be picked from the first-come, first-served queue, and processed… so upload your packet capture, grab a cup of coffee and reload a few times.
- For more in-depth analysis, and a much more powerful suite of anomaly-detection algorithms, consider contacting us for the full CyberSift product
