First, we create flow records by yaf from the PCAP file /data/big.pcap, with additional parameters that add application labeling, avoid packet truncation by employing a generous packet size restriction, and output records compatible with SiLK conversion onto standard output, which pass to rwipfix2silk to generate the restricted record format used by SiLK, including VLAN tags, into the file /tmp/yaf2flow.rw: $ yaf -in=/data/big.pcap -out=- \ Let's assume we have one large PCAP that we would like to analyze. However, application labeling is not essential for packet operations. Note: YAF must be configured with application labeling in order to perform the analysis described below. In addition, this example uses capinfos, a program installed with Wireshark, that provides statistics of PCAP files. It also uses SiLK for some basic flow analysis. The following tutorial uses YAF and the tools that are installed with YAF. However, the pcap-per-flow option is not recommended for networks with high data speeds. Additionally, these features can be used on live traffic. YAF provides a couple options for performing analysis over one or more large PCAP files. Often analysis of very large PCAP files can be difficult due to lack of tools for effectively reading and slicing large PCAP files. This multiplicity of options emphasize the flexibility of the NetSA tool suite, which provides the analyst several possible choices of tools to use, depending on their tasking and their analysis environment. The following sections show several options for the same analysis task, isolating packets corresponding to a specific Yahoo Messenger interaction. Multiple File Example - the second example, which integrates results across several capture files Packet-per-flow - the fourth alternative, working with each packet individually, which is often much slower Using a Berkeley Packet Filter (BPF) - the third alternative, using YAF only, but producing results that may not be precise Use getFlowKeyHash and YAF - the second alternative, not as fast as the first, but using fewer tools
Index with Capture Meta File - the first alternative, using several tools but often producing faster response Single File Example - discussion of the principle example, presenting a process for just one capture file, and the several variations presented in the tutorial Overview - comments regarding the tutorial and the tools used in it In some cases, the packet analysis may yield further conditions to pull other network flow records, completing an iterative cycle.
Starting from network flow records allows the analyst to more closely focus the examination of packets, and to improve the efficiency of analysis. Specific packet-by-packet detail provides more evidence and more surety of analysis results. These features allow YAF to support a variety of analyses that move from analysis of network flow records and drill down into the packets that are generated from those flows. Both tutorials assume you are using the most recent release of YAF.
WIRESHARK PCAP CAPTURES HOW TO
A companion tutorial, Rolling Packet Capture (PCAP) Export with YAF, will discuss how to enable YAF to create a rolling buffer of PCAPs and index the PCAPs by flows. This tutorial makes use of two additional tools that are installed with YAF, yafMeta2Pcap and getFlowKeyHash. It will discuss the various approaches to indexing PCAP and isolating PCAP for a particular flow. This tutorial describes how to use YAF's features that support use of packet capture (PCAP) files.
0 kommentar(er)
