Finding a Needle in a PCAP

Abstract

It can be difficult to find what we are looking for in a large PCAP repository, even when we know what to look for and where to look. When traffic captures start to enter multi-gigabyte sizes, the number of tools that can even begin processing these files is limited. SiLK and other flow analysis tools provide the tools for quickly narrowing down the search area but when ground truth is required, we are often back to square one when searching for a particular packet or flow in large traffic captures. This presentation will describe the available features in YAF for indexing large PCAP files with flow. We will provide relevant examples of common analysis techniques with various tools from the CERT NetSA Security Suite and how to perform complementary PCAP analysis with YAF. This presentation will also touch on deploying a tiered approach to network monitoring storage and ways to maximize storage without compromising network analysis.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 27, 2015
Accession Number
ADA619265

Entities

People

  • Emily Sarneso

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Sensors

DTIC Thesaurus Topics

  • Abstracts
  • Computer Programs
  • Department Of Defense
  • Engineering
  • Guarantees
  • Information Operations
  • Law
  • Materials
  • Shell Scripts
  • Software Development
  • United States
  • Universities

Fields of Study

  • Computer science

Readers

  • Computer Networking
  • Distributed Systems and Data Platform Development
  • Educational Psychology