Is There Any Way to Analyze PCAP Files?
Yes there is! Run the following commands on your AC-Hunter system, depending on your version.
If you are using AC-Hunter 5.3.0 or higher, please run the following:
/usr/local/bin/import_pcaps.sh -p pcap_filename.pcap -d database_name
If you have AC-Hunter 5.2.0 or lower:
Set the following variables to your own values:
export PCAP_FILE=/absolute/path/to/file.pcap export BRO_DIR=/absolute/path/you/want/bro/logs/ export DATABASE=yourdatabasename
Convert your pcap to Bro logs:
sudo docker run --rm --volume "$PCAP_FILE:/capture.pcap" --volume "$BRO_DIR:/pcap" --env BRO_DNS_FAKE=true blacktop/bro:2.5 -r /capture.pcap local
Import the Bro logs into AI-Hunter using RITA:
~/AIH-source/AI-Hunter-latest/rita import $BRO_DIR $DATABASE
At this point your database should be visible in AC-Hunter.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=869
Category:
AC-Hunter General