Web based packet analyzer that will aim an automated analyzer for the uploaded pcap files. The aim will be the open alternative for http://netwitness.com/products-services/investigator. The first fulfillments will include visualization of the analyzed traffic, application level information information display and the plugin support for the malware and anomalies.
A web based pcap analyzer will be created. The analyzer will extract application level information from pcap files, visualize them and display them at the web interface. After uploading the files, packet protocols will be detected, analyzed and the information is saved. Time Line visualiation will display the protocols in the pcap file. When the protocol is clicked, a new page will display more information related with the protocol. For an application level protocol like HTTP, this information will be attached files, whether there have malicious codes or not, if the return answer is an html file then the response headers and the body, etc. At this page, treemaps and parallel coordinates will be used to give detail information about packet bytes and port numbers.
A general scatter plot visualization will be used the to display the distribution of the protocols uploaded till that time.
Yara will be used to analyze binary files. Some external js analyzers will be used to analyze the files at the html files.
The site will have modular approach so that other analyzer will be be able to be plugged in in the following days. Same is valid also for protocol detection. At the beginning, it is planned to use the Bro as protocol detection. For the unknown or undetected protocols, detectors will be written to Bro or one may write its own protocol detection.
The site will have a CLI also, but at the first site it will be a Django based application. Anyone will be able to download and run at the local machine.
|File name||Size||Date submitted|
|Oguz_Yarimtepe.tar.gz||77.0 MB||August 26 2012 11:05 UTC|