Application Packet Capture: A better way to PCAP.
There are two components of
AppPacCap that the user can interact with. The first is a Windows form application that provides configuration options for the service component. The second interface piece is provided through the browser. By default,
AppPacCap comes with a web interface that utilizes the API in order to control and visualize the capture process. The web interface is completely customizable so the default web page can be replaced or updated based on user requirements.
The first tab contains status information along with network settings. Here you can start and stop the service and set the adapter and port number the web server should listen on. To start or stop the service, just click the second toggle button. Closing the GUI does not stop the
AppPacCap service. After changing the networking settings make sure to click the 'Save' button.
AppPacCap web server supports authentication. On the 'Authentication' tab, you can manage the settings relating to user accounts. The
AppPacCap service will automatically refresh the settings when you enable/disable or add/remove accounts but it may take a minute or two for the changes to take effect.
IP geolocation is available with the GeoLite2 data set. On the 'GeoLite2' tab, you can set the file paths for the downloaded data. More information on geolocation is here.
Threat intel sources can also be queried to further enrich an IP address. On the 'Threat Intel' tab, you can set a primary and secondary source to query. More information on threat intel is here.
There are three ways for PCAP and PCAPNg files to be ingested by
AppPacCap. Two are through API calls while the third is through the user interface. Here, you can add the files you want ingested and when all added, click the 'Ingest' button.
AppPacCap service must be running for this to work properly. The service will then read each added file and create a new capture session for each one.
Default Web Interface
AppPacCap's API, a completely customizable user interface is possible. Most of the details described here only applies to the default interface that comes with the
AppPacCap runs for the first time, it will generate a self-signed certificate that is used to provide secure network communications between
AppPacCap and the browser. While this isn't necessary with local only access, it is important if
AppPacCap is accessed remotely. Because the certificate is self-signed, all browsers will throw up a warning.
You can examine the certificate to see that it was generated by
AppPacCap. Different browsers handle this differently but you'll want to confirm the exception so that the browser trusts the certificate in the future.
Once the certificate is trusted, you'll be presented with a splash screen. This gives basic information about the version and license. Just click the 'Continue' link to continue onto the main dashboard.
AppPacCap dashboard provides a dynamic snap shot of various pieces of information. Here we can see the total number of packets and bytes sent and received by the system as well as connection attempts. The charts and values refresh every 5 seconds. On this main tab, there is a listing of running processes which also refresh automatically along with a listing of all active and completed commands and searches. The top row of tabs will take you to a list of active and completed capture sessions and configured triggers and actions. Active and re-opened capture sessions will create a new tab in the top row so you can view the captured data.
Active and completed capture sessions will create a new tab so you can easily switch between views. The capture session tab page contains a listing of all packets, areas to explore the packet details along with a map that will display the geolocated points.