CapLoader logo

CapLoader

CapLoader is a Windows tool designed to handle large amounts of captured network traffic. CapLoader performs indexing of PCAP/PcapNG files and visualizes their contents as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.

CapLoader is the ideal tool to use when handling big data PCAP files in sizes up to many gigabytes (GB). The contents of individual flows can be exported to tools like Wireshark and NetworkMiner in just a matter of seconds.

» Watch the CapLoader Demo Video «

» Buy CapLoader «

» Download Free Trial «

CapLoader with 2 GB of PCAP data loaded from Defcon 11
CapLoader with 2 GB of PCAP data loaded from Defcon 11

Usage

The typical process of working with CapLoader is:

  1. Open one or multiple pcap files, typically by drag-and-dropping them onto the CapLoader GUI.
    CapLoader loading a pcap file with drag-and-drop
  2. Select/mark the flows of interest.
    CapLoader selecting flows / sessions
  3. Double click the PCAP-icon to open the selected sessions in your default pcap parser (typically Wireshark) or better yet, do drag-and-drop from the PCAP-icon to any application you wish.
    CapLoader exporting packets to NetworkMiner
For more details on how to use CapLoader, please see our CapLoader video tutorial. You can also have a look at our blog posts about CapLoader to learn more about how to use CapLoader and what new features that are being added to this powerful tool.

Built-in Protocol Identification

CapLoader includes the ability to identify protocols without relying on port numbers (a feature often referred to as “traffic classification”). This feature can be enabled by checking the “Identify protocols” check-box in the GUI. Loading PCAP files with the “identify protocols” feature enabled will cause the application layer protocols of the extracted flows to be identified and displayed in the flow list. Being able to identify the application layer protocol is important in order to detect what services that run on non-standard ports as well as to detect if common ports are being used to transport other protocols than what might be expected.

The dynamic protocol identification feature allows for detection of over 100 protocols and sub-protocols. The identified protocols include Skype, IRC, FTP and SSH, MS-RPC, Poison Ivy RAT as well as several P2P and CardSharing protocols.

CapLoader showing port independent identification of protocols
CapLoader showing port independent identification of protocols

Network Packet Carving

CapLoader has the ability to carve network packets from any file and save them in the PCAP-NG format. This fusion between memory forensics and network forensics makes it possible to extract sent and received IP frames, with complete payload, from RAM dumps as well as from raw disk images. CapLoader basically carves any TCP or UDP packet that is preceded by an IP frame (both IPv4 and IPv6 are supported).

CapLoader 1.2 Carving Packets from HoneyNet Memory Image
CapLoader 1.2 Carving Packets from HoneyNet Memory Image

Try or Buy CapLoader

CapLoader Trial CapLoader (professional edition)
License Validity Period 30 Days 10 Years
Max PCAP Data Size 500 GB No limit
PcapNG Support Yes Yes
Flow Transcript View
(a.k.a Follow TCP/UDP Stream)
Yes Yes
Port Independent
Protocol Identification (PIPI)
Yes
OS Fingerprinting Yes
Geo-IP Localization (*) Yes
Network Packet Carving Yes Yes
Keyword Search Yes Yes
Hide Flows in GUI Yes Yes
Select Flows from Log file Yes
Price Free From $ 900 USD
Download Free Trial
(no registration required)
Buy CapLoader
* CapLoader (professional edition) includes GeoLite data created by MaxMind, available from http://maxmind.com/

Dependencies

CapLoader requires Microsoft .NET Framework 4.0 to be installed.