Hello all, I am currently at University in the UK and I have been given a large pcap file that has been capturing traffic from a Network over the course of three days, the file is separated into 306 smaller files when I was given it. Basically I have been asked to analyse this pcap file and report upon my findings, I have been asked to produce the following;
I have been asked to create two reports on my findings. So I have read several books surrounding the area of analyzing a pcap file in wireshark, but still feel incompetent in doing so, we have not been given any guidance on using wireshark, and have not been told any specifics on what we should be looking for. Would anyone be able to provide any assistance on where I should start my 'investigation', any helpful hits and tips that would be able to aid me in completing the task I have been set. I don't want any answers, and am willing to put the work in, just guidance on where to start and maybe what to look for. Any help provided would be greatly appreciated. Regards. asked 16 Mar '16, 13:00  RaffertyLewis edited 16 Mar '16, 13:05  grahamb ♦ |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
I'd recommend to take one of the files, open in it Wireshark, and start getting familiar with the tools in
StatisticsandAnalyzemenus. As you said you've read the books and it doesn't tell you where to start, maybe the hands-on experience will be a better entry point.But your last point sounds puzzling: anything else I believe I need. For what should you need that anything? I.e. does the submission give you a particular issue to look for or is it an exercise on general network health assessment?
If you really want to do this with wireshark alone, you should learn tshark. A good freeware addon is https://www.tracewrangler.com/ ; but you have to split your file in 2GB pieces. Or you can look here: https://ask.wireshark.org/questions/50840/packet-analyzer-pe-value-for-wireshark-users
Sindy Thank you, I have had decent go using wireshark, looking at the statistics and analyze menus, I think that is the way to go. But yeah i agree the assignment brief was puzzling, it doesnt really state what would class as anything else, nor have we been given an issue to look for, so when looking at a file that is 46GB its very daunting.
Christian_R Thank you also, I am looking at the PA-PE now, and going to download that see where that takes me, at the moment I have the files into smaller folders of about 3GB to reduce loading times etc.
For what I have been told as of late, it sounds like command line tools, such as tshark and tcpdump might be the way forward.
Thank you both for your help
Tracewrangler can give you a endpoint & conversation statistics ("Communication Details" in the "Tools" menu) for that amount of data, if you split it into 2GB files and add them all to the file list. PA-PE is a very tool for your kind of task as well.
For the 306 original files you have, I'd probably just do a few -z commands in Tshark. Especially if those files have a naming convention that you can write into a "FOR" loop in a quick shell script, something like "tshark -qnr $file -z conv,tcp" would output all TCP sessions between all IP endpoints, all byte counts in either direction, across each time interval. That would cross off much of your list right there as a one-liner.