- Announcing pcapr.Local - your private repository
- Over the last year, we've had a number of requests for an on-premise version of pcapr to help organize private pcap collections. We are happy to announce pcapr.Local today, a Sinatra/xtractr/CouchDB app that allows you to index and search all of your private pcaps. You can read more about this in our blog.
- MuSL - Interactive Application Protocol Playground
- MuSL (Mu Scenario Language) is a canonical Domain Specific Language that we use in Mu Studio to represent complex transactions between multiple hosts using multiple transports and layers. The language itself borrows constructs from numerous languages and was designed to be protocol friendly. We are happy to announce an interactive playground for MuSL including tutorials and how-to's for various types of testing.
- Increased xtractr index size
- We are happy to announce that the lite version of xtractr can now index up to 10 million packets or 1GByte of pcaps. In addition, if you are going to be attending Sharkfest '10 next week, do stop by and say hello to us!
- Announcing xtractr
- We are happy to announce xtractr, a collaborative cloud application to unleash the power of packets. xtractr indexes your pcaps so you can search, extract, report and collaborate on them. Both the pcaps and the indexes are stored locally on your system while the analytics and collaboration happens over the cloud. xtractr is intended for QA and support folks that struggle every day to resolve field issues as well as network operations folks that want to do troubleshooting and forensics.
- Hack.Lu 09 pcaps
- We've added another 750MB and 4.3 million packets to Collaborative Network Forensics. These packets were captured on a honeypot for the Information Security Visualization Contest.
- Packet previews in RSS feeds
- You asked for it and here it is. The RSS feed now contains the preview of the first 4 packets in the pcap along with the protocols, size, #packets and the author.
- Pcapr Trends
With such a large collection of pcaps, we set out to answer the meaning
of it all with multi-dimensional visualization using Motion Charts.
- How does the coverage and number of pcaps for a given protocol trend over time?
- When was a protocol first introduced into pcapr?
- What is 42 and what does it have to do with packet captures?
Explore with pcapr Trends!
- Defcon17 CTF pcaps
- Continuing to expand the datasets available in Collaborative Network Forensics, we've added capture the flag packet captures from Defcon17, published by Diutinus Defense. This adds over 7.8 GBytes of pcaps and another 25 million packets to our collection.
- Collaborative Network Forensics
- Ever had to deal with multi-gig pcaps and wondered if there was a faster, better, interactive way to see the packets, search for them and extract slices? Well, the pcapr way of indexing and visualizing large pcaps is at forensics. With full-text search, packet slices, index browsing and contextual filters, this one's cool. To make this even more fun, we've added HN/Twitter-style one-liners that you can attach to packets and contribute towards collective forensics. With over 15.0 GBytes and 26.3 million packets, this represents the largest collection of indexed pcaps online.
- 1, 2, 3 DoS
- Pcapr has always had the ability to convert any one of the 52000+ packets into a DoS generator to be used in conjunction with mudos. But we admit, it was always a little hard to find this capability. So we've added a new application to create DoS configurations with just a few clicks. With this, you can simply search for a pcap, select a packet and convert that into a DoS configuration to be used with mudos.
- Pcapr Suggest
With the growing number of pcaps on pcapr, we want you to find the packet captures you are looking for as quickly and as easily as possible. We've added pcapr suggest so as you type your search criteria, we'll tell you which pcaps match those. We currently search the filename, the description, the packet summaries and the various protocol fields. Try the search bar below and start typing and see what you find.
- http buffer overflow (basic keyword search)
- by:mu (search for pcaps submitted by "mu")
- sip AND "180 Ringing" (search for SIP pcaps that contain a "180 Ringing" packet)
- "Tree Connect AndX Request" (search for SMB pcaps that contain a "Tree Connect AndX Request" packet)
- http AND field:ipv6* (search for HTTP pcaps over IPv6)
- Hush, hush pcaps
Sharing pcaps is not always easy since they contain sensitive information (internal/public IP's, credentials, hostnames, etc). On the other hand, pcapr provides some unique editing capabilities to transform pcaps in various ways (DoS generation, fragmentation, stream reassembly, packet reordering, content extraction, rewrite IP addresses, etc).Well, you can now have the best of both worlds. You can upload and manage private pcaps using drafts. You can have up to five pcaps in your drafts at any given time. While these are indexed like any other uploaded pcap, they don't show up in any of the searches and are not visible to other users. Drafts are also great if you want to prune out certain packets before publishing it to the community or just save them back.
- Vote for your features
- Have a really cool feature in mind that you'd like to see on pcapr? We've integrated User Voice forums so you can add and/or vote for top features you like to see to make pcapr even better. Use the feedback tab on the right to rate top features you like to see. We'll try and get it done as soon as we can.
- Cap'r Mak'r now supports POP3
- If you want to embed malware or exploits in a POP3 stream and generate packet captures, you have to setup a server, find the right POP3 client, configure it and then run tcpdump. With this update, it just takes a browser and a couple of clicks to get your pcap all ready to go. And you can turn on APOP authentication, if you feel like it. Try Cap'r Mak'r with POP3!
- RSS Feeds
- Soon after we launched pcapr, we had requests to track new uploads by protocol and/or user. So we took that request and ran with it. Now when you filter by user, protocol, a specific field or a user-defined tag, you should see the RSS icon for it. This makes it pretty easy to track pcaps that match your interests.
- Protocol Field Coverage
- If all you have is a pcap, how would you know how much of the actual protocol specification (the possible set of fields that the packets could carry) the packets end up covering? We used the Wireshark dissector documentation as the authoritative reference and then indexed all the protocol fields in the repository to see where we stand. It's an interesting metric for sure. And because of the indexing, searching for pcaps with specific fields just got a whole lot easier. Looking for a SIP pcap that contains the WWW-Authenticate header? No problem, just type in field:sip.www.authenticate in the search bar and off you go. Or you can navigate to the Field Index and click on a field to browse all pcaps that contain that field.
- Cap'r Mak'r
- Packet repositories are fine if you already have pcaps that you want to share with the community. However, if you are testing DPI or IPS you probably have a piece of content (malware, exploit, image, PDF, etc) that you want to embed in a protocol stream. The painful way of doing this is to setup a server, write a cgi-bin/servlet, put the content in the appropriate place, trigger the content upload/download and then capture the packets. With Cap'r Mak'r, you can short-circuit all of that with just a browser and a couple of clicks. We are starting with HTTP and SMTP and you get to control most of the HTTP protocol settings including chunked encoding. Try generating a pcap with HTTP POST, chunked encoded into 64-byte chunks and then further TCP segmented into 64-byte packets and see if your signatures match!
- The Pack3tiz3rs
- Packets are cool, we all know that. But the users that did all the hard work (tcpdump -s 0 -i eth0) to capture and share them with the broader community are just l33t and deserve to be in the Cloud of Fame. Want to be a Pack3tiz3r? All it takes is an upload.
- You know you are a packet geek if ...
- pcapr now has user profiles where you can add your image, links to your blogs and automatically create an RSS feed just for your pcaps. Want to stay current on pcaps from any user on pcapr? Go to their profile page and you'll see the link. If you are logged in, you can edit your profile by clicking on your email address shown at the top of each page. Here's our profile. Enjoy!
- Googling for pcaps
If you have a wealth of pcaps lying around, but don't feel like sharing,
then here's how you can contribute. Use the following Google queries to
find those pesky little packets squirreled away all over the place:
- filetype:pcap (the simple search)
- attachment pcap (attachments in mails)
- filetype:gz inurl:pcap (sneaky compressed pcaps)
We don't have gunzip'ing during uploads yet, but that should be there soon so you can directly point us to these pcaps. We've added a few of these to pcapr, but feel free to add more! During upload, we'll let you know if there's a duplicate. If you have other cool queries to help locate pcaps, please let us know in the forum.
- URL Uploads
- Found a neat looking pcap that you are curious about and want to share with the broader community? When you upload a pcap, you can enter a URL and we'll take it from there. After we successfully process the pcap, you can see the original URL in the About page.
- Registration is Open
- While still under beta (probably for a long time!), you can now self register. It's easy; you enter the email address and we'll send you a confirmation link. We've also disabled anonymous downloads. So while you can browse, search and preview pcaps, you must be logged in for all other things.
- Isn't it true that any self-respecting Web 2.0 site must support user-defined tags? For the pcap that you uploaded, you can now add up to 8 tags (space separated keywords). And of course, you can search on it, filter on it, etc. If you want to see all the tags across all pcaps, then use the cloud to quickly filter on a specific tags. Remember that the protocol tagging is automatic when you upload, but you can tag things like 'exploit', 'vulnerability', 'overflow', etc.
- Stateless DoS
- How often did you want to go from a pcap to a D/DoS generator? Well, we got tired of hand-rolling DoS generators over and over again and we figured you might be interested too. See FAQ for more details. Simplest way to make a D/DoS, is to click on a packet and then choose DoS from the Edit menu.
- HTTP Content Extraction
When you look at a pcap, all you see is a bunch of formless, shapless
bytes. Often, there are hidden gems broken up into these meaningless
bytes. You'll be surprised at what you find inside these packets. Click
on a TCP packet, Edit/Stream and choose Content as one of the
Try this for starters. It's a great way to start the year!
Just remember, that the extracted content might be a browser exploit. If you are not sure, then click on download instead of viewing it in the browser.
- TCP Stream Rewrites
Let's say you are developing, testing or validating DPI,
IPS or an anti-something-or-the-other.
So all you want is to take a TCP stream and rewrite addresses or go from IPv4 to IPv6 (or vice versa).
We have just the thing and we call it Stream Rewrites. If the pcap you are viewing has a TCP packet, then click on the packet, Edit/Stream and choose Rewrite as one of the actions. You get to change the Mac addresses, IP addresses (both IPv4 and IPv6), ports and the MSS. All this is done in your own browser and the generated pcap is yours to keep, forever.
- Packet Fragmentation
- First of the many pcapr pcaplets, this one allows you to visually fragment an IPv4 packet and then rewrite it by changing Mac addresses. You can even drag the packets around to resort them. This is a packet pcaplet and so shows up when you click on a packet and then choose Edit/Fragment.