Finding a Needle in a PCAP
It can be difficult to find what you are looking for in a large PCAP repository, even when you know what to look for and where to look. When traffic captures start to enter multi-gigabyte sizes, the number of tools that can even begin processing these files is limited. SiLK and other flow analysis tools provide the tools for quickly narrowing down the search area. However, when ground truth is required, you are often back to square one when searching for a particular packet or flow in large traffic captures.
In this presentation, Emily describes the available features in Yet Another Flowmeter (YAF) for indexing large PCAP files with flow. She provides relevant examples of common analysis techniques with various tools from the CERT NetSA Security Suite and describes how to perform complementary PCAP analysis with YAF. In this presentation, Emily also touches on deploying a tiered approach to network monitoring storage and ways to maximize storage without compromising network analysis.