Packet-per-flow - the fourth alternative, working with each packet individually, which is often much slower Using a Berkeley Packet Filter (BPF) - the third alternative, using YAF only, but producing results that may not be precise Use getFlowKeyHash and YAF - the second alternative, not as fast as the first, but using fewer tools Index with Capture Meta File - the first alternative, using several tools but often producing faster response Single File Example - discussion of the principle example, presenting a process for just one capture file, and the several variations presented in the tutorial
Overview - comments regarding the tutorial and the tools used in it
In some cases, the packet analysis may yield further conditions to pull other network flow records, completing an iterative cycle. Starting from network flow records allows the analyst to more closely focus the examination of packets, and to improve the efficiency of analysis. Specific packet-by-packet detail provides more evidence and more surety of analysis results. These features allow YAF to support a variety of analyses that move from analysis of network flow records and drill down into the packets that are generated from those flows. Both tutorials assume you are using the most recent release of YAF. A companion tutorial, Rolling Packet Capture (PCAP) Export with YAF, will discuss how to enable YAF to create a rolling buffer of PCAPs and index the PCAPs by flows.
This tutorial makes use of two additional tools that are installed with YAF, yafMeta2Pcap and getFlowKeyHash. It will discuss the various approaches to indexing PCAP and isolating PCAP for a particular flow. This tutorial describes how to use YAF's features that support use of packet capture (PCAP) files. Indexing the PCAP file using the Capture Meta File.Indexing Packet Capture Files (PCAP) with YAF Integration with Specific Network Cards.Installation Instructions & Dependencies.
0 kommentar(er)
