new collaborative network forensics tool for massive pcap libraries

Thomas Maufer tmaufer at gmail.com
Mon Aug 24 14:21:33 CDT 2009


I wanted to share with the NANOG community this likely interesting bit of
pcap wrangling technology that Mu announced yesterday. Here is the
announcement on the new network forensics application within
pcapr<http://www.pcapr.net/>
:

Collaborative Network Forensics

Mu Dynamics ( http://www.mudynamics.com/ ) took the recently
published dataset by the *U.S. Army Information Technology & Operations
Center* ( ITOC <http://www.itoc.usma.edu/> ) from the “2009 Inter-Service
Academy Cyber Defense
Competition<http://www.itoc.usma.edu/research/dataset/index.html>”
as well as the *Schmoo Group’s* “Capture the Capture the
Flag<http://cctf.shmoo.com/>”
( CCTF ) dataset (for a grand total of *15.0 GBytes…26.3 million packets*),
and indexed them all to enable contextual search and instant access to
packets, not to mention Hacker-News/Twitter-style one-liners attached to
packets and searches for a community-oriented collaborative forensics
application.

Check it out (read the blog, linked below, first):

- http://bit.ly/12I62D for the blog and
- http://www.pcapr.net/forensics for the online app

Enjoy!


A brief background on pcapr:

It’s a web-based pcap repository (hence, pcapr) that has some powerful pcap
manipulation capabilities. The pcaps on pcapr are fully decoded and editable
and you can manipulate them in novel ways: You can identify and isolate or
decode streams, remove garbage from the pcap (i.e., extraneous packets from
protocols that you aren’t interested in), reorder packets, save subset or
modified pcaps without destroying the original, etc. All this happens at
http://www.pcapr.net/, which is open to the public.



If you can access the web, you can access the pcapr database and upload your
own local pcaps for analysis. All registered users can upload up to 5 pcaps
into a scratch space that is private to them. There are currently
*250*protocols represented on pcapr across over 1500 pcaps, in
addition to the
forensics application with its 26.3 million packets. Finally, a free
denial-of-service traffic generator is available on pcapr; you can turn any
packet you find on pcapr into a DoS template.


All the best,
~tom

-- 
Thomas Maufer
Mu Dynamics, Inc.                   Mu Line Blog: http://bit.ly/mu-line-blog
  * Dir., Tech. Mktg.               Mu Labs Blog: http://bit.ly/mu-labs-blog
  * Solutions Architect            Mu on twitter: http://bit.ly/mu-twitter
                                   Mu on YouTube: http://bit.ly/mu-youtube
                                  Mu on Facebook:
http://bit.ly/mu-on-facebook
                            Mu Community sign-up:
http://bit.ly/mu-community-signup
                          Got packets? Use pcapr: http://bit.ly/pcapr
                          Email to Thomas Maufer: mailto:
tmaufer at mudynamics.com



More information about the NANOG mailing list