You’re not sure what data your packet capture is really containing and it is too big to be opened with Wireshark or other tools? Visualize it using Squey, isolate packets or sessions worth of interest with arbitrary complexe criteria and then export it to smaller PCAP file(s).
As an example, we will load the complete MACCDC 2012 PCAP dataset composed of 17 files (~17GB) and export HTTP communications between IPs 192.168.203.63 and 192.168.229.101 on port 80.
Click on the Pcap...
button under the SOURCES
section of the start page and click on the Manage profiles
button.
First, let choose the packet fields we would like to use to make our filtering. Almost all fields supported by Wireshark are available, but keep in mind that the more fields you choose, the slower the packet captures will be loading and the bigger the space in RAM will also be.
Click on New profile
, enter the profile name of your choice and click Ok
.
Then click Select
and browse one of the PCAP of the dataset.
For this exemple we chose the following fields:
frame.time, eth.dst, eth.src, ip.dst, ip.src, tcp.srcport, tcp.dstport
And we also checked the Protocol
field in the Options
tab.
Save your profile and load the packets capture using the newly created profile.
The packet captures should now be displayed using parallel coordinates with the fields you selected as columns.
In order to isolate this communication, we will successively apply 4 stages of filtering:
_ws.col.Protocol
column header, select Distinct values
, click on HTTP
and close the dialog.ip.dst
column, select Search for...
paste the two IPs addresses located below and click Apply
.192.168.229.101
192.168.203.63
Repeat the same filtering operation on the ip.src
column.
Right-click on the tcp.dstport
column header, select Distinct values
, click on 80
and close the dialog.
Now that the communication is properly isolated, time to export it back as a PCAP file.
Click File
> Export
> Selection...
and save the PCAP wherever you want.
The application has just filtered the packets contained in the original PCAP files.
The default option Export complete TCP steams
will also export the entire session a packet belongs to.
You can now open the exported PCAP with Wireshark or your favorite tools.
If you want to avoid the loading time of the packet captures, saving it as an investigation will let you reload it very quickly (in less than 6 seconds on an Intel® Core™ i7-12700H Processor using ~3.6GB of data on disk).
Click File
> Investigation
> Save investigation
(or Ctrl+S) and select the folder you want to save your investigation to.
Note that the actual data of the investigation will still be located in the application temporary directory.
The investigation will then appear under the INVESTIGATIONS
section of the start page as a clickable link.
Tick the investigation checkbox, click Delete
and chose Delete investigation
.
Disk space will automatically be reclaimed during application next loading.