Overview

What is pcapr?
Packets are fundamental to how applications and systems communicate with each other and as far as we can tell, there's no simple way for people to access specific packet sequences to learn, understand, troubleshoot and/or debug these systems. pcapr exists as a repository of these packets, providing full-text search, automatic tagging, viewing and editing of these packets.
Where can I find more information on pcaps?
Wikipedia, Tcpdump and Wireshark all have lots of information about pcaps.
Is there a mailing list for pcapr?
Yes, there is a forum to discuss about features, capabilities, enhancement and bugs.

Uploading

How can I upload pcaps?
From the upload page, if you are logged in. You can either choose to upload a file from your desktop or just point us to a URL that leads to a pcap (no gzip, tar balls, etc). The restrictions below apply even when you are uploading through URL's. The filename of the pcap is automatically extracted either from the URL path or the Content-Disposition header in the response.
Are there restrictions on the pcaps I can upload?
Yes. For one, you are limited to 4048 KB or 500 packets in each pcap you upload. In addition, you have to ensure that the packets are captured in full. If you are using tcpdump to capture packets, you need to invoke it with the -s 0 option which captures all packets in entirety.
I can't seem to upload my pcap. What's wrong?
Here are some reasons as to why your upload might be failing. Please make sure that:
  • The filename doesn't contain funny shell meta characters
  • The file is really a pcap
  • The #packets and the file size are within limits (see above)
  • The packets are captured in full (see above)
Can I save my uploads as drafts?
Absolutely. After you are logged in, use drafts. You get to keep up to five pcaps private to your account. You can use all of the packet editing capabilities of pcapr on these pcaps, but they won't show up in searches or be visible to other users. You can also choose to publish these pcaps after you've seen the contents and potentially done some edits on it.
Is there an API to upload pcaps?
Yup, there's a REST API to upload pcaps using command line tools like cURL. Here's the syntax for uploading a pcap:

curl --basic -u email:password -F file=@foo.pcap -F description="..." -F tags="..." http://www.pcapr.net/api/upload

The description and tags are optional and all other constraints about the number of packets, the size of the file, etc all apply to the upload API. The return value, if the upload is successful, is a JSON that looks like this:

{ okay: true, id: "unique-id-of-the-pcap" }
What about downloads?

Similar to the upload, you can use the unique ID of the pcap to download pcaps from pcapr. Here's the syntax using cURL.

curl --basic -u email:password http://www.pcapr.net/api/download?id=id

Searching

How long does it take to index a pcap?
Once the upload is complete, it usually takes under a minute before you can view, edit your pcaps. As part of the indexing, the pcap also becomes searchable and is automatically tagged with the protocols we found in the various packets.
How do I find a pcap for a particular protocol?
You can use the tag cloud to find it or you can simply search using the name of the protocol.
Can I find pcaps by a particular author?
Yes. You can use the by:name as your search criteria. For example, try this search to find all pcaps uploaded by Mu.

Tagging

What kind of tags does pcapr support?
There are two: protocol tags are automatically generated from the contents of the pcap that you have uploaded; however, you can define your own tags that identifies something about the pcap over and beyond the packets. For example you can tag packets as exploit, vulnerability, a vendor or a specific scenario (like a router or firewall, etc). These user-defined tags are simple space separated keywords.
Which pcaps can I tag?
Only the ones you uploaded, of course.
Are there restrictions on the tags?
You can add upto 8 tags for each pcap.
Where can I add/edit/delete tags?
In the About page of each pcap, if you are logged in.

Editing

What kind of editing can I do on a pcap?
You can reorder pcaps and either download them or save them back to the repository. Reordering is done by simply dragging the handles next to each packet entry. You can also filter packets to select specific conversations or filter out packets that are not relevant.
Can you fragment IP packets?
If an IP packet has more than 64 bytes of payload, then you will see a Fragment action after you expand to see the details of the packet. You can generate fragments in order, in reverse and in random. In addition you can either use IPv4 or IPv6 to generate the fragments. If the layer4 happens to be UDP or TCP, then the checksum is recalculated before fragmentation using the new IP addresses.
Can you fixup checksums and rewrite IP addresses?
We currently support this for TCP streams (when the TCP traffic is not encapsulated in other protocols). If a packet's stream is extractable, then you will see a Stream action after you expand to see the details of the packet. Once the stream has been extracted, you can rewrite the contents of the packet in various ways, including changing the MSS of the packets (minimum of 64-bytes). In addition, you can pick IPv4 or IPv6 as the layer3 transport for rewriting the stream.

Mu DoS

What is Mu DoS?
mudos provides a small subset of the functionality from the Mu Test Suite Denial of Service module. It's a standalone (statically linked) Linux executable used to generate controlled, stateless D/DoS traffic against both hosts and networks. The packet definition, payload randomization and traffic patterns are all controlled by a JSON configuration file. If you are a registered pcapr user, then you can click on any packet of any pcap and you should be able to transform the packet into a mudos configuration with a few simple clicks.

mudos-0.2-linux.bin.gz (1274 downloads)
SHA1: a0ed6df1820e2012de7ba2bc0b17f5fb61db05cf

We do have a schema for mudos which is a pseudo JSON file indicating possible options. The best way to try it out is to generate a sample using pcapr. Here are some mudos examples:

Why are you releasing this?
Generating D/DoS traffic for arbitrary protocols is mostly about writing repeated pieces of code to send packets in a while loop. In general though, there is really no simple way to go from a pcap to a D/DoS generator. We saw a need to have a simple tool where all aspects of the D/DoS are controlled by a configuration file so that creating D/DoS for arbitrary protocols becomes just a matter of editing the file.
What are the terms of use?
This software is for use solely in a lab environment for internal development and testing purposes to generate DoS and DDoS traffic. Any other use of this software is strictly prohibited. Prohibited uses include (but not limited to) using the software in or against a production system or using it against any third party's network or other targets without that party's express, informed authorization.

You may not reverse engineer or modify this software in any way, nor may you distribute or transfer it to any unauthorized user. Any vulnerabilities discovered, reproduced, or confirmed through the use of this software may only be disclosed in accordance with industry accepted vulnerability disclosure practices.

By using this software you agree to the terms above, and you promise to indemnify and hold harmless Mu Dynamics fully against any claims, liabilities, costs, expenses, and other harm arising from your unauthorized use of this software or any other violation of the terms above. This software is provided AS IS, and you assume all risks associated with its use.
What kinds of packets can mudos generate?
mudos breaks up DoS into three parts: protocol, payload and pattern. Protocol can be one of Layer2, IPv4, IPv6, TCP (over IPv4 or IPv6) and UDP (over IPv4 or IPv6). Payload is a chunk of opaque bytes carried by these underlying protocols. Finally the pattern specifies the rates and durations of these packets being sent out.
What are update regions?
Regions are fixed length portions of the payload that can either be a reference to a transport address or randomized. For example, if the payload contains a reference to the source IP address (like in SIP) and is marked as a reference region, then for each packet generated, the region is updated with the randomly generated source IP address. This allows the generated packet to be correct from the perspective of the target.
How do I run mudos?
In the simplest form, assuming all aspects of the protocol, packet and pattern are in the configuration file, here's how you run it:

mudos -i eth0 -f dos.json
Can I view the DoS packets before I generate traffic?
Absolutely. We find this very convenient from a diagnostic perspective to verify that the packets are indeed being randomized and sent properly.

mudos -i eth0 -f dos.json -p foo.pcap

This will generate foo.pcap with a total of 11 packets. The first one contains a normal packet with no randomization in effect. The subsequent ones contain packets where all the update regions are computed. If you are using Wireshark or pcapr, you can quickly spot the portions of the packet that are changing.

What's the maximum packet rate that mudos can generate?
mudos can generate packets upto a rate of 25000 packets per second. With payload randomization, we find that this is more than sufficient to cause severe performance degradations on targets.
How do I generate a SYN flood with mudos?
Search pcapr for "TCP AND SYN", pick any matching pcap, click on the packet and off you go!
Where do I report bugs?
Use the forum.