Skip to content

Getting started with PCAP upload

The AQG Network Analyzer can process packet capture (PCAP) files to detect cryptographic objects within network captures.

Tip

The AQG Network Analyzer also includes the yanadump tool that can be deployed as a standalone and portable Linux binary to prepare live network traffic for analysis. Refer to Getting started with live network traffic monitoring for details.

Create a PCAP file

You can use your preferred network sniffer to produce a PCAP file. For instance, to create a PCAP file using tcpdump, run:

tcpdump -w file.cap

This tutorial provides more information on using tcpdump.

Captures containing non-truncated packets are required to correctly detect and parse network handshakes. If a PCAP file contains truncated packets, the Network Analyzer will miss handshakes, resulting in incomplete analysis. This truncation can occur when capturing traffic on virtual interfaces like Docker or localhost on Linux or MacOS.

To avoid this limitation, make sure that the snapshot length is set to the maximum size of 262144 bytes during capture. For example, you can use the following command with tcpdump: 

tcpdump -i <interface> -s 262144 -w capture.pcap

The AQG Network Analyzer can also process packet capture data through integrations with popular network security and monitoring platforms.

Upload a PCAP file

There are two ways to upload a PCAP file to AQtive Guard: through the command line or through the UI.

Upload a PCAP through the command line

To upload a PCAP file to AQtive Guard through the command line:

  1. Select Settings from the main menu on the left.
  2. In the Create Uploader Token tile, select Create.
  3. Copy the following values to a secure place:
    • client-id
    • client-secret
  4. Use the code below to push a PCAP file to AQtive Guard.
$ path/to/yanadump -f path/to/file.pcap \
  --api-url=https://your-domain.aqtiveguard.sandboxaq.com \
  --client-id=aqg-client-token-00000000-0000-0000-0000-000000000000-00000000000000 \
  --client-secret=00000000000000000000000000000000

In the above query:

  • api-url is the base URL of your AQtive Guard instance (required). For example, https://your-domain.aqtiveguard.sandboxaq.com.
  • client-id is the client ID value you copied from step 3 (required).
  • client-secret is the client secret value you copied from step 3 (required).

Upload a PCAP through the UI

To upload a PCAP file to AQtive Guard through the UI:

  1. Navigate to Data sources from the main menu, then select Upload in the AQG Network Analyzer tile.
  2. To upload the PCAP, either:
    • Click in the target area and select the file from your local system.
    • Drag and drop the file into the target upload area.

The data will begin uploading automatically.

Note

The max file size that can be uploaded is 4GB.