PacketTotal is a free tool for analyzing packet captures that has recently been offered to the infosec community.
Available online, the tool is powered by a Python-based engine and uses several open source technologies:
- BRO IDS for identifying the various protocols and extracting artifacts found within the capture.
- Suricata IDS for signature based identification of known malicious traffic within the capture.
- Elasticsearch for indexing packet-capture meta-data, and making it available for search and rendering in the future.
PacketTotal is meant to provide security analysts and researchers with useful information in a matter of minutes. Things like: artifacts inside the packet capture, TCP, UDP, and ICMP connections within the capture, protocols, etc. The found artifacts can also be downloaded.
The author is Jamin Becker, and his main goal is to allow open intel sharing of malicious packet-captures accross the infosec community.
“Before you start analyzing packet captures it is important to remember that once analysis has started the information within the packet capture file becomes available to the Internet,” he warned.
“The tool was intended for packet-captures generated within sandboxed environments, ensuring that no potentially confidential information is exposed. It will however accept any .pcap or .pcapng file under 50MB.”
Becker advises users to redact any information they don’t want to share with a .pcap editing tool.
He also says that he has big plans for this project and more improvements in the pipeline. Help Net Security has reached out to him for more information, and we will update this item when he gets back to us.
As it turns out, Becker has been working on PacketTotal for the past year and a half, and has had a ton of fun building it. He’s a senior information security engineer at SPX Corporation, but this project is completely independent from the company and he’s been working on it in his spare time.
Of course, the technologies that it’s based on – BRO, Suricata, and Elasticsearch – are open-source, and have been in development for years.
His plans for the PacketTotal are many, but first and foremost he means to scale the backend properly.
“I initially released the tool to a fairly small community, and since then the volume to the site has risen almost exponentially everyday. In the immediate future, I plan on adding several additional analysts tools, currently only whois, and IP2GEO are supported,” he explained.
“Currently, I only support a handful of analytics options, but I plan on adding more, as well as several new chart types in the analytics view. A private submission UI and API are in the works, and I’m targeting roughly mid-2017 to late-2017 before these features go live. I also am playing with the idea of post-processing analysis which would give additional insight into malicious packets, as well as giving users the ability to tag custom IOCs within the packet-capture.”
Overall, the feedback from the community has been very positive, he told me. He received several emails about integrating open-threat feeds into the tool, and he plans on leveraging them.
“I’ve had several questions about the possibility of open-sourcing this tool. I certainly plan on open-sourcing multiple components of it once I have done some major refactoring,” he added.
“I love open-source technology, PacketTotal would not exist without it, and I’m excited to see what the community can do with it. Also, I am very open to any criticism/suggestions that my users may have. If a feature is unsatisfactory or you have a cool idea, I want to know about it so I can take steps to fix/incorporate it.”