You’re not sure what data your packet capture is really containing and it is too big to be opened with Wireshark or other tools? Visualize it using Squey, isolate packets or sessions worth of interest with arbitrary complexe criteria and then export it to smaller PCAP file(s).
As an example, we will load the complete MACCDC 2012 PCAP dataset composed of 17 files (~17GB) and export HTTP communications between IPs 192.168.203.63 and 192.168.229.101 on port 80.
Click on the
Pcap... button under the
SOURCES section of the start page and click on the
Manage profiles button.
First, let choose the packet fields we would like to use to make our filtering. Almost all fields supported by Wireshark are available, but keep in mind that the more fields you choose, the slower the packet captures will be loading and the bigger the space in RAM will also be.
New profile, enter the profile name of your choice and click
Select and browse one of the PCAP of the dataset.
For this exemple we chose the following fields:
frame.time, eth.dst, eth.src, ip.dst, ip.src, tcp.srcport, tcp.dstport
And we also checked the
Protocol field in the
Save your profile and load the packets capture using the newly created profile.
The packet captures should now be displayed using parallel coordinates with the fields you selected as columns.
In order to isolate this communication, we will successively apply 4 stages of filtering:
_ws.col.Protocolcolumn header, select
Distinct values, click on
HTTPand close the dialog.
Search for...paste the two IPs addresses located below and click
Repeat the same filtering operation on the
Right-click on the
tcp.dstport column header, select
Distinct values, click on
80 and close the dialog.
Now that the communication is properly isolated, time to export it back as a PCAP file.
Selection... and save the PCAP wherever you want.
The application has just filtered the packets contained in the original PCAP files.
The default option
Export complete TCP steams will also export the entire session a packet belongs to.
You can now open the exported PCAP with Wireshark or your favorite tools.
If you want to avoid the loading time of the packet captures, saving it as an investigation will let you reload it very quickly (in less than 6 seconds on an Intel® Core™ i7-12700H Processor using ~3.6GB of data on disk).
Save investigation (or Ctrl+S) and select the folder you want to save your investigation to.
Note that the actual data of the investigation will still be located in the application temporary directory.
The investigation will then appear under the
INVESTIGATIONS section of the start page as a clickable link.
Tick the investigation checkbox, click
Delete and chose
Disk space will automatically be reclaimed during application next loading.