Thursday, October 25, 2018

Capture Glyphs!

Captures Glyphs are a super high level representation of the traffic inside a PCAP. At a glance, you can determine roughly how many sessions occurred within the capture, how many of those sessions were TCP, UDP, or ICMP, and the rough duration.

Each unit, or square inside a Capture Glyph represents a TCP, UDP, or ICMP session. The pixel in the middle of each square represent the duration of that session. This glyph for example represents a PCAP that contains about 50% TCP traffic 50% UDP traffic. If we zoom in we can clearly see sessions that lasted over 60 seconds, and some that were very short as well.

We are incredibly excited about this update, as it provides a brand new (and kind of beautiful) way of visualizing packet captures. A glyph is automatically created when you upload a PCAP to If you have a cool glyph, be sure to tweet it at us!(@PacketTotal/@TheJaminBecker)

Monday, October 22, 2018

Bulk IOC Search

PacketTotal now contains almost 35,000 packet captures, over 70,000,000 records, and 20,000,000,000 data-points, this has lead to some challenges around searching and sorting the data.

Over the past few months search has gotten several improvements. We modified our algorithm to pre-process queries, and optimize them prior to search. We've doubled the number of nodes on our ElasticSearch backend, and added backend load-balancing. However, even with all these improvements making large queries, those with hundreds or even thousands of strings, poses technical issues with the current infrastructure.

Obviously, being able to search our dataset quickly is a huge priority, and to get around the technical barriers we created a separate query infrastructure on AWS. This query infrastructure provides the ability to run distributed searches asynchronously, which translates to lots of queries very fast.

To test this infrastructure we have created a tool called Bulk IOC Search Utility, which can take in a list of up to 100 line separated IPs, URLs, domains, hashes, etc. We are also planning additional projects that will leverage this infrastructure. These will be tracked here.

So give it a try! Like the rest of the site it's absolutely free. If you find the tool useful please feel free to shoot us a tweet! (@PacketTotal/@TheJaminBecker

Wednesday, October 3, 2018

Introducing PCAP Tagging

Up until this point, PacketTotal has functioned as a completely autonomous analysis engine. Meaning a capture is analyzed and results generated without any additional user-interaction. Strictly, relying on automatically generated analysis can result in users making false assumptions about the benignity of the traffic contained within. Our underlying IDSs won't catch everything, and there are often times that it makes sense for a user to be able to add additional information that was missed by analysis.

Enter tagging, which addresses this gap by allowing anyone to tag a missed insights in a capture.

Any user can add tags and references to an existing PCAP, which are periodically reviewed by the PacketTotal team to ensure efficacy. 

Tagged captures will contain a "Community Tags" tab. So next time you upload a PCAP be sure to add some helpful tags so other users can find it more easily.