What are Packet Capture (PCAP) Files?

Packet capture files (.pcap and .pcapng extensions) provide detailed snapshots of network traffic, capturing the data packets transmitted across the network. By analyzing these files, it's possible to analyze specific network interactions, detect anomalies or malicious behavior, and gain insights into the nature of the traffic.


How to Obtain Network Data:

Regardless of whether you’re running Windows, Linux, or macOS, you already have the tools you need to create PCAP files. Below, you’ll find short tutorials for creating PCAP files on each platform. Each section also includes a link to a more detailed, step-by-step version of the tutorial.

Tutorial: Creating PCAP files on Windows

  1. Open an elevated Command Prompt or PowerShell interpreter (via Run as Administrator).
  2. Choose the capture interface:
    Use ipconfig /all to find which interface has the Default Gateway configured.
    Take note of this interface’s MAC address, and run pktmon list to find the ID of the desired capture device (the line that matches the MAC from the previous command).
  3. Run the following command to capture network traffic: pktmon start -c --comp <id> --pkt-size 0 -s 100 -f cap1.etl
    • <id>: Interface ID
    • 100: Max capture file size in MB
    • cap1.etl: Output filename
  4. When you have captured enough data, stop the capture process with the pktmon stop command.
  5. Convert the capture to PcapNG: pktmon etl2pcap cap1.etl --out cap1.pcapng
  6. Upload the file to redhand.io.

 

  PCAP Files on Windows - Detailed Guide

Tutorial: Creating PCAP files on Linux

  1. Login/Open terminal.
  2. Choose the capture interface:
    Use ip route | grep default to find which interface has the Default Gateway configured. Take note of the interface's (dev) name.
  3. Run the following command to capture network traffic:
    sudo tcpdump -vni <interface-name> -s 0 -w <filename.pcap> -c 100000
    • <interface-name>: Interface name
    • <filename.pcap>: Output filename, ex: capture.pcap
    • 100000: Number of packets to capture (roughly equivalent to 100MB)
    Let tcpdump finish the capture process when it reaches 100,000 packets, or manually stop it by pressing Ctrl+C.
  4. Upload the file to redhand.io.

 

  PCAP Files on Linux - Detailed Guide

Tutorial: Creating PCAP files on Mac

  1. Launch terminal (Launchpad -> Terminal)
  2. Choose the capture interface:
    Use netstat -nr | grep default to find which interface has the Default Gateway configured. Take note of the interface's (device) name.
  3. Run the following command to capture network traffic:
    sudo tcpdump -vni <interface-name> -s 0 -w <filename.pcap> -c 100000
    • <interface-name>: Interface name, ex: en0
    • <filename.pcap>: Output filename, ex: capture.pcap
    • 100000: Number of packets to capture (roughly equivalent to 100MB)
    Let tcpdump finish the capture process when it reaches 100,000 packets, or manually stop it by pressing Ctrl+C.
  4. Upload the file to redhand.io.

 

  PCAP Files on Mac - Detailed Guide

Netflow Logs

Depending on the existing infrastructure and budget, accessing raw network (packet capture) data may not always be practical. In some cases, appliances or services provide network traffic data in the form of NetFlow logs. Most network switches, routers, and cloud providers support the creation of NetFlow logs. These logs offer a summarized view of network activity, which presents both advantages and limitations.


Tutorial: Accessing Your Amazon AWS VPC Network Data

Step 1: Create VPC Flow Log
  • Log in to your AWS Management Console, and from the Services menu, navigate to the VPC Dashboard
  • In the top-right corner, click the Actions button, then select Create Flow Log
  • Name the flow log (optional), set filter to All and Maximum aggregation Interval to 10 minutes

Step 2: Set S3 bucket as destination
  • Choose Send to an Amazon S3 bucket and Create S3 bucket
  • On the Create bucket screen name the bucket and Leave the default encryption settings as is (Server-side encryption with Amazon S3 managed keys SSE-S3 and Bucket Key Enabled), then click Create bucket
  • Go to the Properties tab under the bucket information section, find the Amazon Resource Name (ARN), copy it and paste into the S3 bucket ARN destination settings

Step 3: Advanced settings
  • In the Log record format section, select Custom format
  • Add the following custom attributes to the default fields: tcp-flags, type, flow-direction and traffic-path
  • If you're using Amazon Elastic Container Service (ECS), be sure to also include the following fields: ecs-cluster-name, ecs-container-Instance-Id and ecs-container-Id
  • Under Partition logs by time, select Every 1 hour, then click Create flow log

Step 4: Download the flow logs and analyze
  • Open the Amazon S3 Console, select your bucket to access its details, and navigate to the folder containing the log files
  • Select the checkboxes next to the files you want to analyze, then choose Download
  • Extract the contents of the gz file and upload it to redhand.io.

 

  AWS VPC Logs - Detailed Guide