Network Analyzer↑
The SandboxAQ Network Analyzer processes packet capture (PCAP) files to detect cryptographic objects within network captures.
Download↑
To download the Network Analyzer:
- Log in to AQtive Guard as an administrator.
- Select Settings from the menu bar, then select Sensors.
- Select Download under the Network Analyzer tile.
Create a PCAP file↑
You can use your preferred network sniffer to produce a PCAP file. For instance, to create a PCAP file using tcpdump, run:
This tutorial provides more information on using tcpdump.
The Network Analyzer can also process packet capture data through integrations with popular network security and monitoring platforms. For available options, refer to Integrations & plugins.
Yanadump↑
The yanadump
tool processes network packets and extracts handshake-related information.
Use↑
The yanadump --help
command displays all the options the tool supports. Some use cases are described in the following sections.
PCAP files↑
To dump handshake information from a PCAP file, run:
This outputs a trace file that contains all handshake-related information. There is one line per detected handshake.
Live capture (Linux)↑
To dump handshake information from a live interface, run:
The yanadump
binary requires both the CAP_NET_ADMIN
and CAP_NET_RAW
Linux capabilities to capture packets. This can be achieved by doing one of the following:
- Run the
yanadump
tool as root (not recommended) - Add the following capabilities to the
yanadump
binary:
Tip
To save bandwidth and shorten the upload time, use gzip
to compress the trace file before uploading:
gzip /path/to/trace.cst
Stopping a live capture↑
To run the yanadump
tool for a predetermined amount of time, use the unix timeout
command:
In this example, the yanadump
command will be terminated after running for one hour.
Considerations↑
The algorithm identifiers are directly extracted from the various protocols, ensuring compliance with the corresponding RFCs.
The output from the yanadump
tool is raw data formatted for upload to AQtive Guard for analysis.
Run an analysis↑
Upload the PCAP or yanadump
trace file to AQtive Guard to run an analysis and generate a report. For details, refer to Run an analysis.