Version 1.1 of the super-fast PCAP parsing tool CapLoader is being released today. CapLoader is the ideal tool for digging through large volumes of PCAP files. Datasets in the GB and even TB order can be loaded into CapLoader to produce a clear view of all TCP and UDP flows. CapLoader also provides instantaneous access to the raw packets of each flow, which makes it a perfect preloader tool in order to select and export interesting data to other tools like NetworkMiner or Wireshark.
Five flows being extracted from Honeynet.org's SOTM 28 to Wireshark with CapLoader
New functionality in version 1.1
New features in version 1.1 of CapLoader are:
- PcapNG support
- Fast transcript of TCP and UDP flows (similar to Wireshark's ”Follow TCP Stream”)
- Better port agnostic protocol identification; more protocols and better precision (over 100 protocols and sub-protocols can now be identified, including Skype and the C&C protocol of Poison Ivy RAT)
- A “Hosts” tab containing a list of all transmitting hosts and information about open ports, operating system as well as Geo-IP localization (using GeoLite data created by MaxMind)
- Gzip compressed capture files can be opened directly with CapLoader
- Pcap files can be loaded directly from an URL
Flow transcript of Honeynet SOTM 28 pcap file day3.log
Free Trial Version
Another thing that is completely new with version 1.1 of CapLoader is that we now provide a free trial version for download. The CapLoader trial is free to use for anyone and we don't even require trial users to register their email addresses when downloading the software.
There are, of course, a few limitations in the trial version; such as no protocol identification, OS fingerprinting or GeoIP localization. There is also a limit as to how many gigabyte of data that can be loaded with the CapLoader trial at a time. This size limit is 500 GB, which should by far exceed what can be loaded with competing commercial software like Cascade Pilot and NetWitness Investigator.
The professional edition of CapLoader doesn't have any max PCAP limit whatsoever, which allows for terabytes of capture files to be loaded.
The CapLoader USB flash drive
Customers who have previously bought CapLoader 1.0 can upgrade to version 1.1 by downloading an update from our customer portal.
For more information about CapLoader please see our previous blog post Fast analysis of large pcap files with CapLoader
Posted by Erik Hjelmvik on Monday, 21 January 2013 11:45:00 (UTC/GMT)