If you are InfoSec professional who commonly deals with intrusion detection and response or malware analysis, a new site called PacketTotal may make your life easier. PacketTotal allows you to upload a PCAP, or packet capture, file and have it automatically analyzed and parsed against BRO IDS and Suricata signatures in order to provide information on what may have been detected in the capture file.

For those who are unfamiliar with PCAP files, they are simply files that contain a packet by packet record of the network traffic that flowed over a particular sensor. This sensor could be a device/computer running an Intrusion Detection or Protection System or a network sniffing tool such as WireShark.

Once a PCAP file is created, you can then upload it into to PacketTool to analyze it for intrusions, file transfers, or other suspicious activity.

Analyzing a PCAP File with PacketTotal

The first step to using PacketTotal is to submit a PCAP file for analysis. In my test I used a PCAP from one of Brad Duncan's articles from Malware-Traffic-Analysis.net

Submitting a file on PacketTotal
Submitting a file on PacketTotal

After you submit a PCAP file, PacketTotal will analyze it and you will be redirected to the Analysis Screen. From there you can view the details of what was discovered in the PCAP file as well as switch to the Timeline or Analytics section.

PacketTotal Analysis Screen

The Analysis section, which is represented by the Console tab, provides a detailed analysis of what was detected in the uploaded PCAP file. This includes malicious or suspicious activity, network connections, HTTP requests, transferred files, and strange requests.  

Malicious Activity Tab of the Analysis Section
Malicious Activity Tab of the Analysis Section

As you can see from the above screen, PacketTotal detected that there was network traffic that coincides with a network Trojan.  This traffic is most likely the exploit kit being detected. Other sections allow you to see the HTTP requests and their responses or download files detected in the network packets.  

For those who are using this for intrusion incidents, the downloading of transfered files allows you to recreate the payloads that infected a computer in order to learn more about what happened to a victim.

The Timeline Section

The Timeline section allows you to see a timeline of the network activity contained within the PCAP file. This allows you to see in chronological order, the network communications between various hosts in the PCAP file.

Timeline View
Timeline View

The Analytics Section

Finally, the Analytics section allows you to see various statistics regarding connections, HTTP requests, malicious activity, and transferred files. This section provides a great overview of what is contained in the PCAP file and allows you to drill down into detailed information by clicking on the various graphs.

Analytics Section
Analytics Section

PacketTotal May Not Be Private Enough for the Enterprise

As you can see, for those who routinely need to analyze packet capture files, PacketTotal can make your job easier by providing an easy to use analysis tool. The only downside is that any PCAP file you upload will become publicly available to every other user of the site. This could lead to sensitive information being leaked by the PCAP file.

Once way to resolve this would be to allow people to register accounts that would allow them to upload their PCAPs privately. Even with this feature, though, it may not be enough to truly make it safe for companies who need to retain tight control over their network information.