Is There Any Way to Analyze PCAP Files?

Yes there is! Run the following commands on your AC-Hunter system, depending on your version.

If you are using AC-Hunter 5.3.0 or higher, please run the following:

/usr/local/bin/import_pcaps.sh -p pcap_filename.pcap -d database_name

If you have AC-Hunter 5.2.0 or lower:

Set the following variables to your own values:

export PCAP_FILE=/absolute/path/to/file.pcap
export BRO_DIR=/absolute/path/you/want/bro/logs/
export DATABASE=yourdatabasename

Convert your pcap to Bro logs:

sudo docker run --rm --volume "$PCAP_FILE:/capture.pcap" --volume "$BRO_DIR:/pcap" --env BRO_DNS_FAKE=true blacktop/bro:2.5 -r /capture.pcap local

Import the Bro logs into AI-Hunter using RITA:

~/AIH-source/AI-Hunter-latest/rita import $BRO_DIR $DATABASE

At this point your database should be visible in AC-Hunter.

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=869