What information am I sharing when I upload a packet capture?
How long does analysis take?
Analysis takes around 15 seconds per packet capture. PacketTotal employs a queue-based, distributed processing model, meaning analysis time is proportional to the number of captures in front of yours. On average, packet captures take 2-3 minutes to be queued and analyzed under times of high load.
What does PacketTotal offer that a traditional packet capture tool does not?
PacketTotal automates the analysis of your packet captures, with powerful back-end algorithms that produce clear visualizations of what's happening in your network traffic. We automate the extraction of information useful for security analysts, researchers, and defenders around the world. On top of extracting information useful to quickly understanding the scope of a security incident or how a particular piece of malware communicates, PacketTotal:
- Extracts artifacts found inside the packet capture and makes them available for download
- Reconstructs a timeline of TCP, UDP, and ICMP connections within the capture
- Provides drill-down analytics that can aid in understanding the behavior of traffic found within the capture
Why am I getting error messages when uploading a packet capture?
Currently, you are limited to 50 MB packet captures. We use server-side content inspection of packet captures to validate they can be processed by the processing nodes. Some .pcapng files fall outside of this criteria. If you receive an error uploading a .pcapng file, re-open the packet capture in a tool like WireShark, and save as a standard .pcap file.
What technologies does the tool use to perform the analysis?
Quite a few! The engine is 100% coded in Python and relies on a custom templating engine for page rendering. At the heart of PacketTotal, we use three phenomenal open-source technologies to facilitate analysis, retention, and searching.
- Bro for identifying the various protocols and extract artifacts found within the capture.
- Suricata for signature based identification of known malicious traffic within the capture.
- Elasticsearch for indexing packet capture meta-data, and making it available for search and rendering in the future.
I want to analyze a packet capture with sensitive information, and do not want it to be available publicly.
This is an excellent use case. One of the primary goals of this project was to allow open intel sharing of malicious packet captures accross the InfoSec community. We are currently developing a private API which we plan to make available at the start of 2018. For the time being, simply use one of the numerous pcap editing tools to redact any information you do not want shared prior to upload.
I found a bug or security vulnerability! How should I report it?
This software has been put through tens-of-thousands of automated tests, however it is completely possible something was missed. If you find a bug, please report it to firstname.lastname@example.org.