Parsing a PCAP file using Antfarm:
For your PCAP file:
1. Save your PCAP file as a text file (this will be further referred to as <pcap filename>)
NOTE: Your customized script will be automatically saved in the following location:
When you run the following command at the prompt ($):
you will see the name of your customized script under "custom".
Run Antfarm pcap script on your pcap file (do not include brackets in filenames unless they are a part of the filename):
2. Run the following command at the prompt: $ antfarm -e <environment name> custom <PCAP script filename> <PCAP text file>
3. For Antfarm version 0.3.0, the parse-pcap-file requires that network entries already exist in the database for BOTH the source IP and destination IP for any record in the pcap file or it will quietly ignore the record. For the newer version of Antfarm, if you use the --create-new-networks flag, it will create the network entry for any new IPs.
For use on a single PCAP file, use:
$ antfarm -e <environment name> custom <PCAP script> --create-new-networks <PCAP text file>
For use on a whole directory of PCAP files, use:
$ antfarm -e <environment name> custom <PCAP script> --create-new-newtorks <PCAP directory name/>
At this point, you have parsed your pcap file (<PCAP text file>)using a custom PCAP script in Antfarm (<PCAP script filename>) and the parsed information is saved in your environment (<environment name>).
You can view the output on Antfarm by running the following command (4. For traffic view, 5. For network view):
4. $ antfarm -e <environment name> viz display-traffic 5. $ antfarm -e <environment name> viz display-networks
When displaying the traffic flow from a larger PCAP file, the visual becomes harder to read on the screen. Luckily there is an option that will help minimize this. The "collapse-ports" option allows you to only include one node for each port number discovered in the PCAP file.
6. $ antfarm -e <environment name> viz display-traffic --collapse-ports
The latest version of Antfarm the display is static, using the command above. If you wish to see an animated version of the display, use the following command (using display networks as an example):
7. $ antfarm viz display-networks --active
Sometimes, the PCAP files that are produced are much too large, use the following command to downsize the PCAP file to a more reasonable size (through the number of packets):
8. $ editcap -r <Original PCAP Filename> <New PCAP Filename> <range of packets>
Example: $ editcap -r Old_PCAP_File New_PCAP_File 5001-7200 This example only takes packet numbers 5001-7200 from the old PCAP file and puts them in the new PCAP file.
Sample PCAP scriptLast modified on 11 May 2010, at 00:40