PCAP

Security Onion Console (SOC) gives you access to our PCAP interface. This interface allows you to access your full packet capture that was recorded by Stenographer.

In most cases, you’ll pivot to PCAP from a particular event in Alerts, Dashboards, or Hunt by choosing the PCAP action on the action menu.

_images/soc-events-table.png

Alternatively, you can go directly to the PCAP interface and then put in your search criteria to search for a particular stream.

_images/pcap-add-job.png

Security Onion will then locate the stream and render a high level overview of the packets.

_images/pcap.png

If there are many packets in the stream, you can use the LOAD MORE button, Rows per page setting, and arrows to navigate through the list of packets.

You can drill into individual rows to see the actual payload data. There are buttons at the top of the table that control what data is displayed in the individual rows. By disabling Show all packet data and HEX, we can get an ASCII transcript.

_images/pcap-transcript.png

You can select text with your mouse and then use the context menu to send that selected text to CyberChef, Google, or other destinations defined in the actions list.

_images/pcap-select-pivot.png

You can send all of the visible packet data to CyberChef by clicking the CyberChef icon on the right side of the table header. Please note that this only sends packet data that is currently being displayed, so if you are looking at a large stream you may need to use the LOAD MORE button to display all packets in the stream.

_images/pcap-cyberchef.png

Finally, you can download the full pcap file by clicking the download button on the far right side of the table header. If you are using an Analyst VM, then the pcap will automatically open in NetworkMiner. Alternatively, you could open the pcap in Wireshark.

_images/pcap-download.png

Once you’ve viewed one or more PCAPs, you will see them listed on the main PCAP page.

_images/pcap-jobs.png

When you are done with a PCAP, you may want to delete it using the X button on the far right. This deletes the cached PCAP file saved at /nsm/soc/jobs/.