Deep Packet Analysis on Cloud

September 8, 2010, by | Start Discussion

As we are discussing all about cloud in this issue we?d love to see a few tools on the cloud itself. The most interesting work for any security professional is to analyze the packet captures. Our friendly .pcap files. PCAP files can be generated from your favorite tools like TCPDump or wireshark. Let's see two ways to understand and do deep packet analysis on the cloud itself

PCAPR

http://pcapr.net is a social not working site, where „friends? can learn and teach about pcaps to each other.
It's a web service where you can upload your pcap files and study the packets inside the pcap file.

As a drawback you can upload only 4048kb files limiting to 500 packets per file. Check outhttp://pcapr.net/faq for other details.

PCAPR project has another cloud based tool called XTRACTR http://www.pcapr.net/xtractr xtractr is a hybrid cloud application for indexing, searching, reporting, extracting and collaborating on pcaps. This enables you to rapidly identify field issues and perform network forensics and troubleshooting with just a few clicks. The lite version of xtractr can index up to 10 million packets or 1 Gbyte of pcaps.

Cloudshark

Now the question arises that if we have our own favorite Wireshark& have to use it for pcap generation why can't we use it only & why not something similar in interface.

The point of having such a tool online is that you can actually generate pcap from anywhere and upload it for future reference. And as far as UI is concerned, let's look at cloud shark. http://cloudshark.org/ As per Cloud Shark

We work with network capture files on a daily basis. After trying to view capture files on mobile devices without Wireshark support, we realized it was time to move packets to the cloud. The CloudShark idea was born. CloudShark was created to Make viewing capture files easy from any device ranging from desktops to smart phones. After creating our own solution, we decided to make it available to everyone as CloudShark.org. Interface of CloudShark is similar to your favorite Wireshark and you can view/analyze packets the same way as you would do on Wireshark. Working with CloudShark is simple.

  • Generate your capture file or use an existing capture file
  • Email it, upload it, or link it
  • CloudShark does the rest by providing a decode session
  • If you email CloudShark with an attached capture file, we'll email you back with a link to your decode session
  • Send your capture files as an attachment to cap@cloudshark.org
  • If you are in the browser already, we'll drop you into your decode session

But the limitation of packet capture size holds well on CloudShark also. Here you are allowed to view first 2500 packets only.

Author bio not avialable

Leave a Reply