ANTFARM/PCAP

Parsing a PCAP file using Antfarm:

For your PCAP file: 1. Save your PCAP file as a text file (this will be further referred to as )

NOTE: Your customized script will be automatically saved in the following location: .antfarm/scripts When you run the following command at the prompt ($): $ antfarm you will see the name of your customized script under "custom".

Run Antfarm pcap script on your pcap file (do not include brackets in filenames unless they are a part of the filename): 2. Run the following command at the prompt: $ antfarm -e  custom  

3. For Antfarm version 0.3.0, the parse-pcap-file requires that network entries already exist in the database for BOTH the source IP and destination IP for any record in the pcap file or it will quietly ignore the record. For the newer version of Antfarm, if you use the—create-new-networks flag, it will create the network entry for any new IPs.

For use on a single PCAP file, use: $ antfarm -e  custom  --create-new-networks 

For use on a whole directory of PCAP files, use: $ antfarm -e  custom  --create-new-newtorks 

At this point, you have parsed your pcap file ()using a custom PCAP script in Antfarm () and the parsed information is saved in your environment.

You can view the output on Antfarm by running the following command (4. For traffic view, 5. For network view):

4. $ antfarm -e  viz display-traffic 5. $ antfarm -e  viz display-networks

When displaying the traffic flow from a larger PCAP file, the visual becomes harder to read on the screen. Luckily there is an option that will help minimize this. The "collapse-ports" option allows you to only include one node for each port number discovered in the PCAP file.

6. $ antfarm -e  viz display-traffic—collapse-ports

The latest version of Antfarm the display is static, using the command above. If you wish to see an animated version of the display, use the following command (using display networks as an example):

7. $ antfarm viz display-networks—active

Sometimes, the PCAP files that are produced are much too large, use the following command to downsize the PCAP file to a more reasonable size (through the number of packets):

8. $ editcap -r  

Example: $ editcap -r Old_PCAP_File New_PCAP_File 5001-7200 This example only takes packet numbers 5001-7200 from the old PCAP file and puts them in the new PCAP file.

Sample PCAP script