Online PCAP analysis with PacketTotal

Why using Wireshark?

PacketTotal is an online engine for analyzing .pcap files and visualizing the network traffic within, useful for malware analysis and incident response.

PacketTotal leverages features of BRO IDS and Suricata to flag malicious/suspicious traffic, display detailed protocol information, and extract artifacts found inside the packet capture.

What does PacketTotal offer that a traditional packet-capture tool does not?

PacketTotal presents information at a higher level than a tools such as WireShark. When I built this tool I was less concerned about duplicating functionality of these tools and more about automating the extraction of information that would be useful to security analysts and researchers.

On top of extracting information useful to quickly understanding the scope of a security incident or how a particular piece of malware communicates, PacketTotal:

  • Extracts artifacts found inside the packet-capture and makes them available for download
  • Reconstructs a timeline of TCP, UDP, and ICMP connections within the capture
  • Provides drill-down analytics that can aid in understanding the behavior of traffic found within the capture

Can i use PacketTotal for analyze a traffic capture containing sensitive information?

I don’t recommend it.

Everything stored within the packet-capture including the file itself is stored on the backend. Your public IP address is also captured at the time of the upload for the purpose of analytics and security.

Concerning the possibility of a private report, the FAQs says this:

This is a very legitimate use-case, however one of the primary goals of this project was to allow open intel sharing of malicious packet-captures accross the InfoSec community. I am working on a private API which I plan on making available in mid-2017. For the time being, simply use one of the numerous .pcap editing tools to redact any information you do not want shared prior to upload.