CapAnalysis is a freeware toolset that performs a variety of tasks, similar to Xplico. CapAnalysis allows incident response analysts to review large packet capture files and parse out TCP, UDP, and ESP streams. Analysts also have the ability to filter out IP addresses, ports, protocols, as well as tie data flows to specific geographical areas.

CapAnalysis can be downloaded from the site http://www.capanalysis.net/ca/#download. The download package contains an installer. Simply click on the Install button and the package will install.

Once installed, navigate to http://localhost:9877. From here, analysts can configure a password for access. After configuring a password, CapAnalysis opens into the following home page:

1. Click on New to begin the process of analyzing a packet capture. This opens the following:

2. Enter the case number as name to the Name field. Again, as with previous examples, the case name 2017 001 Suspected Ransomeware (CapAnalysis only allows alpha-numeric characters, so hyphens should be removed from the case name) will be utilized. Once the name has been entered, click Submit.
3. Once the new dataset has been added, click on the tab Data Sets which will open the following page:

4. Click on Files to add the packet capture to the dataset. The next window allows the analyst to either import a packet capture from a URL, conduct a packet capture, or analyze an existing packet capture. Drag and drop the existing packet capture to the appropriate location or click the button Click Here to navigate to the appropriate folder. Once they are loaded, the following will appear:

5. Click the tab DATASETS and the datasets window will show the file that was uploaded:

6. Double-click on the name 2017 001 Suspected Ransomeware and the following window appears:

The tabs at the top of the window allow the analyst to drill down to specific information. There are several features that make CapAnalysis a good tool for analyzing packet captures. The Overview tab allows analysts to gain a sense of the protocols, data flows, and geographical regions data is flowing back and forth from. For example, analyzing the packet capture from the beginning of this chapter, the analyst would see that a good deal of HTTP traffic is flowing back and forth from the Russian Federation, as well as a number of other countries outside the United States.

If the organization based in the United States does not have a significant presence outside that geographical region, the analyst could use this as an indication that the packet capture contains evidence related to a potential compromise. Moving forward, the analyst may want to look at data that relates only to the Russian Federation. To do this, navigate to the right side and click on the globe icon. This allows the analyst to select which geographical areas to focus on:

From here, select only the Russian Federation and then click Apply. This option then limits the data visible to only data that is moving back and forth between the host and IP addresses associated with the Russian Federation:

From here, the analyst can then determine if any of these IP addresses are associated with known botnet controllers or other malicious sites. For example, if an analyst searched the site virustotal.com for the IP address 91.239.24.50, the results indicate that the IP address is associated with a number of malicous files:

Tools such as Xplico and CapAnalysis allow the incident response analyst to gain insight into the wealth of data contained within a packet capture in a more user-friendly way. The way that the data is presented in these solutions further allows the analyst to triage potential incidents by quickly reviewing the data and determining whether there is in fact a potential incident that requires more detailed investigation.