• Home
  • Obtaining Network Data

Obtaining Network Data For Cyber Analysis

Types of Network Data Files

We can currently analyze two types of data files: Packet Captures and Netflow logs:


Packet Capture Files

Packet capture files (.pcap and .pcapng extensions) provide detailed snapshots of network traffic, capturing the data packets transmitted across the network. By analyzing these files, it's possible to analyze specific network interactions, detect anomalies or malicious behavior, and gain insights into the nature of the traffic.


NetFlow Logs

NetFlow is a widely used network protocol that collects metadata about IP traffic flowing across network devices such as routers, switches, and hosts. This metadata provides valuable information about the source, destination, volume, and nature of traffic, enabling a deeper understanding of network behavior. For organizations utilizing Virtual Private Cloud (VPC) services like Amazon Web Services (AWS), Google Cloud, or Microsoft Azure, NetFlow is natively supported. NetFlow logs usually come in CSV format.


How to Obtain Network Data:

Creating PCAP files on Windows

  1. Open an elevated Command Prompt or PowerShell interpreter (via Run as Administrator).
  2. Choose the capture interface:
    Use ipconfig /all to find which interface has the Default Gateway configured.
    Take note of this interface’s MAC address, and run pktmon list to find the ID of the desired capture device (the line that matches the MAC from the previous command).
  3. Run the following command to capture network traffic: pktmon start -c --comp <id> --pkt-size 0 -s 100 -f cap1.etl
    • <id>: Interface ID
    • 100: Max capture file size in MB
    • cap1.etl: Output filename
  4. When you have captured enough data, stop the capture process with the pktmon stop command.
  5. Convert the capture to PcapNG: pktmon etl2pcap cap1.etl --out cap1.pcapng
  6. Upload the file to redhand.io.

 

  PCAP Files on Windows - Detailed Guide

Creating PCAP files on Linux

  1. Login/Open terminal.
  2. Choose the capture interface:
    Use ip route | grep default to find which interface has the Default Gateway configured. Take note of the interface's (dev) name.
  3. Run the following command to capture network traffic:
    sudo tcpdump -vni <interface-name> -s 0 -w <filename.pcap> -c 100000
    • <interface-name>: Interface name
    • <filename.pcap>: Output filename, ex: capture.pcap
    • 100000: Number of packets to capture (roughly equivalent to 100MB)
    Let tcpdump finish the capture process when it reaches 100,000 packets, or manually stop it by pressing Ctrl+C.
  4. Upload the file to redhand.io.

 

  PCAP Files on Linux - Detailed Guide

Creating PCAP files on Mac

  1. Launch terminal (Launchpad -> Terminal)
  2. Choose the capture interface:
    Use netstat -nr | grep default to find which interface has the Default Gateway configured. Take note of the interface's (device) name.
  3. Run the following command to capture network traffic:
    sudo tcpdump -vni <interface-name> -s 0 -w <filename.pcap> -c 100000
    • <interface-name>: Interface name, ex: en0
    • <filename.pcap>: Output filename, ex: capture.pcap
    • 100000: Number of packets to capture (roughly equivalent to 100MB)
    Let tcpdump finish the capture process when it reaches 100,000 packets, or manually stop it by pressing Ctrl+C.
  4. Upload the file to redhand.io.

 

  PCAP Files on Mac - Detailed Guide

Getting AWS VPC Flow Logs

Step 1: Create VPC Flow Log
  • Log in to your AWS Management Console, and from the Services menu, navigate to the VPC Dashboard
  • In the top-right corner, click the Actions button, then select Create Flow Log
  • Name the flow log (optional), set filter to All and Maximum aggregation Interval to 10 minutes

Step 2: Set S3 bucket as destination
  • Choose Send to an Amazon S3 bucket and Create S3 bucket
  • On the Create bucket screen name the bucket and Leave the default encryption settings as is (Server-side encryption with Amazon S3 managed keys SSE-S3 and Bucket Key Enabled), then click Create bucket
  • Go to the Properties tab under the bucket information section, find the Amazon Resource Name (ARN), copy it and paste into the S3 bucket ARN destination settings

Step 3: Advanced settings
  • In the Log record format section, select Custom format
  • Add the following custom attributes to the default fields: tcp-flags, type, flow-direction and traffic-path
  • If you're using Amazon Elastic Container Service (ECS), be sure to also include the following fields: ecs-cluster-name, ecs-container-Instance-Id and ecs-container-Id
  • Under Partition logs by time, select Every 1 hour, then click Create flow log

Step 4: Download the flow logs and analyze
  • Open the Amazon S3 Console, select your bucket to access its details, and navigate to the folder containing the log files
  • Select the checkboxes next to the files you want to analyze, then choose Download
  • Extract the contents of the gz file and upload it to redhand.io.

 

  AWS VPC Logs - Detailed Guide