xtractr is a hybrid cloud application for indexing, searching,
reporting, extracting and collaborating on pcaps. This enables you to rapidly identify
field issues and perform network forensics and troubleshooting with just a
few clicks. This lite version of xtractr can index up to
10 million packets or 1 Gbyte of pcaps.
While xtractr can be used as a standalone application, it works best
with Mu Studio
to convert the problematic conversation into a stateful test case.
Blog: Network Forensics in IRB: xtractr Ruby Gem
While we could list out all the cool things you could do with xtractr,
we figured you can just try it out and see for yourself. xtractr is
built for the cloud and is fully RESTful so you can use your browser to analyze
the packets.
We indexed #4 of the Forensics Challenge (VoIP) from honeynet.org
using xtractr. Can you answer the forensics questions?
Start Live Demo!
504,401,630
packets processed so far.
Download xtractr, a linux executable, untar it
and install it on say, /usr/local/bin/. Make sure that this is in your PATH.
You must be logged in to download xtractr!
Index
xtractr can index just a single pcap or a collection of them in one go.
It uses tshark to extract various information about each packet, but adds flow
classification to group the packets into logical conversations. So the only
key requirement is that you have Wireshark
installed on the host that you are planning to use xtractr on. Assuming you have
a directory foo with a bunch of pcaps, you can index them like so:
xtractr index ./foo --mode forensics ./foo/1.pcap ./foo/2.pcap ./foo/3.pcap
Make sure you have have enough disk space! xtractr trades off
disk space for faster search, extract and report. In forensics mode, the index
size will typically be much larger than the actual pcap size.
Gotcha
The timestamps stored are relative to the first packet in the first pcap.
So make sure you index logical collections of pcaps. So if you have two
sets of pcaps (from different times or different networks), build two
different indexes instead of grouping them all into one.
Explore
Tired of remembering command-line kung-fu? xtractr helps you get to the packet
or content you care about with contextual queries and instant reports. Fully
visual and interactive, xtractr harnesses the power of the browser to unravel
information tucked away in your packet captures.
Once you have indexed a set of pcaps, simply start xtractr in
browse mode and point it to the index:
xtractr browse ./foo
xtractr has an embedded web server that by default binds to http://localhost:8080.
You can change this by using the --host and --port options.
Now point your favorite browser to http://localhost:8080 and voilá.
Compatibility
xtractr is known to work with most modern Linux distros. Supported
browsers include Chrome, FireFox and Safari. IE 7/8 kinda/sorta works, but we are
actively looking into supporting these. If you want us to support
your favorite browser contact us either using the Feedback form on the right or
the pcapr forum.
Nuggets are community contributed queries and reports to help you
find what you are looking for without having to learn the query language.
The queries, stored and tagged on pcapr, are applied against your
xtractr index. Your data stays with you.
Nope! We understand the sensitivity of your pcaps and
so both the pcaps as well as the xtractr index stays
local to you on your network. You only access the application through
the cloud. The analytics, searching, reporting and content slicing
all happen between your browser and your xtractr
instance.
Are all my search queries stored on the cloud?
Nope! Only those that you explicitly contribute are
stored on pcapr. We are still working on the community aspect of this
and is currently in trial for a few users. All other searches happen
between the browser and your xtractr index.
Where are my labels stored?
As part of your xtractr index.
Can more than one person be looking at the index?
Absolutely. Since xtractr has a built-in web server,
you can have your team collaborate on it, label interesting flows, search,
extract and report concurrently.
Can I look at more than one index at a time?
With the lite version, you can run multiple instances of xtractr
on different ports and open up tabs in your browser to look at the different
sets of packets.
About
Download
Nuggets
FAQ
Start Live Demo!
