PCAPΒΆ

Security Onion Console (SOC) gives you access to our new PCAP interface. This interface allows you to access your full packet capture that was recorded by Stenographer.

You can pivot to PCAP from Alerts, Hunt, and Kibana. Alternatively, you can go directly to the PCAP interface and then put in your search criteria to search for a particular stream.

_images/pcap-add-job.png

Security Onion will then locate the stream and render a high level overview of the packets.

_images/pcap.png

If there are many packets in the stream, you can use the LOAD MORE button, Rows per page setting, and arrows to navigate through the list of packets.

You can drill into individual rows to see the actual payload data. There are buttons at the top of the table that control what data is displayed in the individual rows. By disabling Show all packet data and HEX, we can get an ASCII transcript.

_images/pcap-transcript.png

Starting in Security Onion 2.3.60, you can select text with your mouse and then use the context menu to send that selected text to CyberChef, Google, or other destinations defined in the actions list.

_images/pcap-select-pivot.png

Starting in Security Onion 2.3.70, you can send all of the visible packet data to CyberChef by clicking the CyberChef icon on the right side of the table header. Please note that this only sends packet data that is currently being displayed, so if you are looking at a large stream you may need to use the LOAD MORE button to display all packets in the stream.

_images/pcap-cyberchef.png

Finally, you can download the full pcap file by clicking the download button on the far right side of the table header. If you are using an Analyst VM, then the pcap will automatically open in NetworkMiner. Alternatively, you could open the pcap in Wireshark.

_images/pcap-download.png