Packet-capture (PCAP) files contain a complete copy of live network traffic and are essential for cybersecurity and network operations analysis. Unfortunately, PCAP datasets consume large amounts of storage, are technically complex and are notoriously difficult to data mine at scale. CISOs often overlook the packet-capture capability considering it a “nice-thing-to-have that we cannot afford.”
About the Author
Chief Technology Officer, Dynamite Analytics
Jamin is the original creator of PacketTotal.com (acquired by Dynamite), the largest public PCAP analytic service in the world. He also leads development of the Dynamite platform, including commercial Dynamite Agent and open-source DynamiteNSM.
The PCAP Challenge
Many security organizations struggle to quantify the value of full packet capture and justify the PCAP technology investment. While storing PCAP data may seem like a good idea, its practical benefit largely depends on the cybersecurity team, process, and technology. There are a few items to consider:
- Without the right tools, PCAPs are difficult to make use of but they provide vital context for network threat indicators. For instance, a security alert with a short description may trigger an investigation, but the underlying PCAP can fill in the blanks.
- Full packet capture is generally resource-intensive and requires massive storage. Network engineers must account for performance implications of duplicating traffic and plan ahead for data retention requirements.
- Gaining insights from PCAP files requires deep technical knowledge and time. The SecOps process should define the applicable use-cases for PCAP analysis. For instance, malware research, forensic investigations, and incident response each have their own requirements and nuances.
Welcome to PacketTotal
Since 2017, PacketTotal has been serving the international community of cybersecurity professionals as an online platform for research and public exchange of diverse network data samples. Thousands of cyber analysts and network operators use PacketTotal each month and contribute to its constantly growing PCAP repository.
PacketTotal provides several key benefits:
- Ease of use – PacketTotal is an online service engineered to lower the learning curve of PCAP analysis. The application is designed to navigate a massive repository of PCAP files, starting with a high-level view and following with a deep-dive into packet-capture details.
- Advanced analytic features – PacketTotal builds upon Zeek and Suricata open-source technologies for network traffic analysis, dynamically enriching them with threat intelligence indicators. PacketTotal users upload their PCAP files and immediately see a detailed view of network connections, suspicious traffic, protocol conversations, network artifacts, malware detections, geo-locations, and much more.
- A vast PCAP repository – PacketTotal has become a public platform for research and exchange of network traffic samples with over 100,000 PCAP files in its repository. The application provides advanced PCAP search capabilities, including “Similar PCAP” heuristics and an API for programmatic data access.
Notable PacketTotal Features
The PacketTotal console provides a simple interface for exploring network PCAP files. Pivot between protocols, download artifacts, and gain insight into malicious traffic found within packet captures. Use the Similar Packet Captures tab to find other PCAPs with similar attributes.
About Dynamite Analytics
Dynamite Analytics is a cybersecurity company focused on Network Detection and Response (NDR) headquartered in Atlanta, GA. Dynamite equips cyber and network operators with a deep understanding of the network environment allowing them to quickly identify and mitigate problems and threats. The company has won multiple federal R&D awards pertaining to network traffic analysis. In addition to PacketTotal, Dynamite is the creator of the open-source Network Security Monitor DynamiteNSM as well as the commercial network sensor Dynamite Agent.