Skip to content

Getting started with PCAP upload

The AQG Network Analyzer can process packet capture (PCAP) files to detect cryptographic objects within network captures.

Tip

The AQG Network Analyzer also includes the yanadump tool that can be deployed as a standalone and portable Linux binary to prepare live network traffic for analysis. Refer to Getting started with live network traffic monitoring for details.

Create a PCAP file

You can use your preferred network sniffer to produce a PCAP file. For instance, to create a PCAP file using tcpdump, run:

tcpdump -w file.cap

This tutorial provides more information on using tcpdump.

Captures containing non-truncated packets are required to correctly detect and parse network handshakes. If a PCAP file contains truncated packets, the Network Analyzer will miss handshakes, resulting in incomplete analysis. This truncation can occur when capturing traffic on virtual interfaces like Docker or localhost on Linux or MacOS.

To avoid this limitation, make sure that the snapshot length is set to the maximum size of 262144 bytes during capture. For example, you can use the following command with tcpdump: 

tcpdump -i <interface> -s 262144 -w capture.pcap

The AQG Network Analyzer can also process packet capture data through integrations with popular network security and monitoring platforms.

Upload a PCAP file

There are two ways to upload a PCAP file to AQtive Guard: through the command line or through the UI.

Upload a PCAP through the command line

To upload a PCAP file to AQtive Guard through the command line:

$ export AQG_API_TOKEN='xxxxx'
$ path/to/yanadump -f path/to/file.pcap \
  --api-url=https://your-domain.aqtiveguard.sandboxaq.com \
In this example:

  • xxxxx is the API token generated from the “API tokens” settings page of AQtive Guard web UI
  • https://API.AQG.DOMAIN/ is the base URL of the AQtive Guard instance.

The API token can also be passed through the --api-token argument, however it should be considered insecure as the token ends up in ps output.

Upload a PCAP through the UI

To upload a PCAP file to AQtive Guard through the UI:

  1. Navigate to Data sources from the main menu, then select Upload in the AQG Network Analyzer tile.
  2. To upload the PCAP, either:
    • Click in the target area and select the file from your local system.
    • Drag and drop the file into the target upload area.

The data will begin uploading automatically.

Note

The max file size that can be uploaded is 4GB.