Skip to content

Network Analyzer

The SandboxAQ Network Analyzer processes packet capture (PCAP) files to detect cryptographic objects within network captures.

Download

To download the Network Analyzer:

  1. Log in to AQtive Guard as an administrator.
  2. Select Settings from the menu bar, then select Sensors.
  3. Select Download under the Network Analyzer tile.

Create a PCAP file

You can use your preferred network sniffer to produce a PCAP file. For instance, to create a PCAP file using tcpdump, run:

tcpdump -w file.cap

This tutorial provides more information on using tcpdump.

The Network Analyzer can also process packet capture data through integrations with popular network security and monitoring platforms. For available options, refer to Integrations & plugins.

Yanadump

The yanadump tool processes network packets and extracts handshake-related information.

Use

The yanadump --help command displays all the options the tool supports. Some use cases are described in the following sections.

PCAP files

To dump handshake information from a PCAP file, run:

$ yanadump -f /path/to/file.pcap -o /path/to/out.cst

This outputs a trace file that contains all handshake-related information. There is one line per detected handshake.

Live capture (Linux)

To dump handshake information from a live interface, run:

$ yanadump -i interface0 -o /path/to/out.cst

The yanadump binary requires both the CAP_NET_ADMIN and CAP_NET_RAW Linux capabilities to capture packets. This can be achieved by doing one of the following:

  • Run the yanadump tool as root (not recommended)
  • Add the following capabilities to the yanadump binary:
    $ sudo setcap 'cap_net_raw+eip cap_net_admin+eip' /path/to/yanadump

Tip

To save bandwidth and shorten the upload time, use gzip to compress the trace file before uploading: gzip /path/to/trace.cst

Stopping a live capture

To run the yanadump tool for a predetermined amount of time, use the unix timeout command:

Text Only
timeout 1h yanadump -i  en0 -o mytrace.cst

In this example, the yanadump command will be terminated after running for one hour.

Considerations

The algorithm identifiers are directly extracted from the various protocols, ensuring compliance with the corresponding RFCs.

The output from the yanadump tool is raw data formatted for upload to AQtive Guard for analysis.

Run an analysis

Upload the PCAP or yanadump trace file to AQtive Guard to run an analysis and generate a report. For details, refer to Run an analysis.