Jump to content

ANTFARM/PCAP

From Wikibooks, open books for an open world

Parsing a PCAP file using Antfarm:

For your PCAP file:

    1. Save your PCAP file as a text file (this will be further referred to as <pcap filename>)

NOTE: Your customized script will be automatically saved in the following location:

    .antfarm/scripts

When you run the following command at the prompt ($):

    $ antfarm

you will see the name of your customized script under "custom".

Run Antfarm pcap script on your pcap file (do not include brackets in filenames unless they are a part of the filename):

    2. Run the following command at the prompt:
    $ antfarm -e <environment name> custom <PCAP script filename> <PCAP text file>
    3. For Antfarm version 0.3.0, the parse-pcap-file requires that network entries already exist in the database
       for BOTH the source IP and destination IP for any record in the pcap file or it will quietly ignore the record.
       For the newer version of Antfarm, if you use the—create-new-networks flag, it will create the network entry for 
       any new IPs.

For use on a single PCAP file, use:

    $ antfarm -e <environment name> custom <PCAP script> --create-new-networks <PCAP text file>

For use on a whole directory of PCAP files, use:

    $ antfarm -e <environment name> custom <PCAP script> --create-new-newtorks <PCAP directory name/>

At this point, you have parsed your pcap file (<PCAP text file>)using a custom PCAP script in Antfarm (<PCAP script filename>) and the parsed information is saved in your environment (<environment name>).

You can view the output on Antfarm by running the following command (4. For traffic view, 5. For network view):

    4. $ antfarm -e <environment name> viz display-traffic
    5. $ antfarm -e <environment name> viz display-networks

When displaying the traffic flow from a larger PCAP file, the visual becomes harder to read on the screen. Luckily there is an option that will help minimize this. The "collapse-ports" option allows you to only include one node for each port number discovered in the PCAP file.

    6. $ antfarm -e <environment name> viz display-traffic—collapse-ports

The latest version of Antfarm the display is static, using the command above. If you wish to see an animated version of the display, use the following command (using display networks as an example):

    7. $ antfarm viz display-networks—active

Sometimes, the PCAP files that are produced are much too large, use the following command to downsize the PCAP file to a more reasonable size (through the number of packets):

    8. $ editcap -r <Original PCAP Filename> <New PCAP Filename> <range of packets>
    Example:
    $ editcap -r Old_PCAP_File New_PCAP_File 5001-7200
    This example only takes packet numbers 5001-7200 from the old PCAP file and puts them in the new PCAP file.

Sample PCAP script