CapLoader is a Windows tool designed to handle large amounts of captured network traffic. CapLoader performs indexing of PCAP/PcapNG files and visualizes their contents as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.
CapLoader is the ideal tool to use when handling big data PCAP files in sizes up to many gigabytes (GB). The contents of individual flows can be exported to tools like Wireshark and NetworkMiner in just a matter of seconds.Next live online network forensics training: April 17-20
Video tutorial from our blog post "Analyzing Kelihos SPAM in CapLoader and NetworkMiner".
Video tutorial from our blog post "Detecting Cobalt Strike and Hancitor traffic in PCAP".
The typical process of working with CapLoader is:
CapLoader includes the ability to identify protocols without relying on port numbers (a feature often referred to as “traffic classification”). This feature can be enabled by checking the “Identify protocols” check-box in the GUI. Loading PCAP files with the “identify protocols” feature enabled will cause the application layer protocols of the extracted flows to be identified and displayed in the flow list. Being able to identify the application layer protocol is important in order to detect what services that run on non-standard ports as well as to detect if common ports are being used to transport other protocols than what might be expected.
The dynamic protocol identification feature allows for detection of over 100 protocols and sub-protocols. The identified protocols include Skype, IRC, FTP and SSH, MS-RPC, Poison Ivy RAT as well as several P2P and CardSharing protocols.
Read our Port Independent Protocol Detection blog post for more details on the protocol detection feature built into CapLoader.
CapLoader showing port independent identification of protocols
CapLoader has the ability to carve network packets from any file and save them in the PCAP-NG format. This fusion between memory forensics and network forensics makes it possible to extract sent and received IP frames, with complete payload, from RAM dumps as well as from raw disk images. CapLoader basically carves any TCP or UDP packet that is preceded by an IP frame (both IPv4 and IPv6 are supported).
CapLoader 1.2 Carving Packets from HoneyNet Memory Image
|CapLoader Trial||CapLoader (professional edition)|
|License Validity Period||30 Days||3 Years|
|Max PCAP Data Size||500 GB||No limit|
|Reads PcapNG Files||✅||✅|
|Reads ETL Files||✅||✅|
Flow Transcript View
(a.k.a Follow TCP/UDP Stream)
|Indexing of Flows for Fast Extraction||✅||✅|
|Hostname extraction from DNS||✅||✅|
|Hostname extraction from TLS||✅|
|Extract JA3 and JA3S||✅|
|Initial Round Trip Time calculation||✅||✅|
|Alexa top 1M Lookup||✅|
|Cisco Umbrella top 1M Lookup||✅|
Protocol Identification (PIPI)
|Alert on Malicious Protocol||✅|
|Alert on Port-protocol Mismatch||✅|
|Alert on Periodic Connections||✅||✅|
|Select Similar Flows||✅|
|Geo-IP Localization (*)||✅|
|ASN lookup (*)||✅|
|OSINT lookup of IP's and domains||✅|
|Network Packet Carving||✅||✅|
|Keyword String Search||✅||✅|
|Regular Expression (regex) Search||✅|
|Input Filter (BPF)||✅||✅|
|Hide Flows in GUI||✅||✅|
|Display Filter (BPF)||✅||✅|
|Select Flows from Log file||✅|
|Select Flows from PCAP file||✅|
|Service Regularity / Period Detection||✅||✅|
|Wireshark style Coloring||✅|
|Price||Free||From $ 1200 USD|
|Download Free Trial||How To Buy CapLoader|
|Version||Release Date||Major Improvements|
|1.9.5||2023-02-09||Alerts for malicious traffic.|
|1.9.4||2022-06-16||Extraction of JA3 and JA3S hashes, Select Similar Flows and VXLAN decapsulation.|
|1.9.3||2021-11-02||Read Windows event tracing .etl files.|
|1.9||2021-05-27||Column Criteria filter, VLAN support in BPF and better periodicity detection..|
CapLoader requires Microsoft .NET Framework 4.0 to be installed.