Need Help? 🤔
Having trouble understanding the data? Below is a list detailing each data point.
General Help
- Upload Size: As of now, the upload size is limited to 50MB.
- Deletion: All PCAP files are deleted immediately after analysis, and any remaining data is automatically erased one hour after upload.
- Public Accessibility Any uploaded data will be publicly accessible for up to one hour.
Summary Page
File Information Section:
- File Name: This shows the name of the file uploaded for analysis.
- File Size: This indicates the size of the file in megabytes (MB).
- Total Packets: This represents the total number of network packets contained in the file.
- Upload: This shows the date and time when the file was uploaded to the website for processing.
- Start: This is the timestamp when the packet capture (PCAP) recording began.
- Finish: This shows the timestamp when the packet capture (PCAP) recording ended.
- Time Span: This calculates and displays the time difference between the start and finish of the network capture.
- MD5: This is the MD5 hash of the file, a unique identifier created based on the file content for verifying its integrity.
Packet Structure Stats Charts/Tables:
- Top Internet Protocol (IP) Versions: This chart shows which IP versions are being used the most in the captured data, like how much traffic is using IPv4 versus IPv6.
- Top Transport Layer Protocols (L4): This chart shows the most common transport protocols (like TCP or UDP) used to send data between devices. It gives a look into how data is getting around.
- Top Application Layer Protocols (L7): This chart shows which application protocols are being used the most, such as HTTP or FTP. It helps you see what types of services are being accessed.
- Top Transport Layer Ports (L4): This chart shows the most used transport ports in the data, helping you figure out which services are using certain ports, like FTP on port 21.
Timing Stats
- Network Traffic Over Time: Bytes & Packets: This chart shows how the amount of data and packets change over time, giving you an idea of how busy the network was during the capture. It divides the capture into 15 even chunks.
- TCP Min Conversation Duration: This is the shortest time a TCP conversation lasted. It helps you see the fastest data transfers between devices using TCP.
- TCP Avg Conversation Duration: This shows the average time of all TCP conversations. It gives you a general idea of how long data transfers took on average using TCP.
- TCP Max Conversation Duration: This is the longest time a TCP conversation lasted. It highlights the slowest or most delayed data transfers using TCP.
- UDP Min Conversation Duration: This shows the shortest duration for a UDP conversation. However, if there's no data for this, it’s marked as N/A (Not Available) because there were no UDP conversations in the capture.
- UDP Avg Conversation Duration: This shows the average duration for all UDP conversations. Just like with TCP, if no UDP data is available, it’ll be listed as N/A.
- UDP Max Conversation Duration: This is the longest time a UDP conversation lasted. If there are no UDP conversations in the capture, it’ll be marked as N/A.
Security Page
Snort Rule Violation Summary
- Most Suspicious Source IP: This is the source IP address that triggered the most suspicious activity. In this case, it is
10.10.30.26:43958, indicating that this IP is sending a potentially concerning amount of traffic.
- Most Suspicious Destination IP: This is the destination IP address that received the most suspicious activity. Here,
129.21.171.72:21 shows the IP and port being targeted, likely associated with an FTP service on port 21.
- Top Snort Rule Violated: This refers to the specific Snort intrusion detection rule that was most frequently violated during the capture. In this case,
1:553:7 represents the rule ID, indicating a particular security violation.
- Snort Priority 1 Violation Counts: This shows the number of violations detected with Snort's highest priority (priority 1), which typically indicates severe security threats. In this case, there were 0 priority 1 violations.
- Snort Priority 2 Violation Counts: This shows the number of violations with medium severity (priority 2). These violations are notable but may not pose an immediate threat. Here, there were 0 priority 2 violations.
- Snort Priority 3 Violation Counts: This counts the number of violations with the lowest priority (priority 3). These are typically less critical issues but still noteworthy. In this case, there was 1 priority 3 violation detected.
Packets Caught by Snort Rules
Packets Caught by Snort Rules (Table): This table displays all the packets identified by Snort, including details like priority, packet date and time, rule ID triggered, message, classification, protocol, and the source/destination IP addresses and ports. PCAPs are scanned with Snort (v2.9.15.1) via the Community Ruleset (snort3-community-rules.tar.gz).
Addresses Page
Maps
- Top 100 IP Addresses (Map): This map displays the top 100 public IP addresses found within the packet capture file. Close points are group together and can be further expanded by clicking on the circles. The location data is gathered via ipinfo.io
- Top 100 IP Conversations (Map): This map displays the top 100 public IP conversations (IP-to-IP flows) found within the packet capture file. Close points are group together and can be further expanded by clicking on the circles. The location data is gathered via ipinfo.io
Tables
- Top 100 IP Addresses: This table displays the top 100 IP addresses found within the PCAP file. It includes the IP's organization, location, the number of times the IP address appears in the file (Count), and its percentage of the total captured traffic. The location data is gathered via ipinfo.io.
- Top 100 MAC Addresses: This table displays the top 100 MAC addresses found within the PCAP file. It includes the MAC address, the Organizationally Unique Identifier (OUI) if resolved, the number of times the MAC address appears in the file (Count), and its percentage of the total captured traffic.