Netify Netify logo Contact Us
Products Resources Documentation Blog Sign In

Analysing a Packet Capture File

This guide covers common Netify Agent CLI operations for status checks, data validation, packet-capture analysis, and debug troubleshooting.

Interactions on the command line may require root privileges. Use sudo or switch to the root account in these cases.

Getting Started

The Netify Agent can be used to perform offline analysis of a network file capture, regardless of the system architecture it was taken from or the bitrate during which it was captured.

Prior to analysing a packet capture, version 5 requires the Core Processor Plugin to be installed, enabled, and configured. In addition, we need to send the traffic analysis to a Netify Sink plugin. For this example, we'll send data to the Netify Sink Socket plugin and capture the data structures using a file socket.

First, if you haven't done so already, install and enable the Core Processor and Sink Socket plugins. Once done, you can modify the default configuration files or use the ones provided below verbatim or as a template.

/etc/netifyd/netify-proc-core.json

{
    "sinks": {
        "sink-socket": {
            "default": {
                "enable": true,
                "types": [ "stream-flows", "stream-stats" ]
            }
        }
    }
}

/etc/netifyd/netify-sink-socket.json

{
    "channels": {
        "default": {
            "enable": true,
            "bind_address": "unix://${path_state_volatile}/netify-sink.sock"
        }
    }
}

Real-Time Analysis

If you have not already done so, you can use tcpdump to create a capture file:

Terminal - Netify
× 
tcpdump -i eth0 -s 65536 -w /tmp/netify.pcap host 192.168.4.100

The -s (--snapshot-length) should be set to 65536 for smaller file sizes. The Netify Agent does not need anything beyond this limit for DPI analysis. Also, feel free to limit the capture to a specific host, port, or any other network filter expression supported by tcpdump. To see some bandwidth statistics, please run the capture for at least 60 seconds.

To play back a packet capture through the Netify Agent in real time, run:

Terminal - Netify
× 
sudo netifyd -d -v -t -r -I /path/to/pcap

Simultaneously, open another shell and capture the output that will now be sent to the file socket, located at /var/run/netifyd/netify-sink.sock - /var/run/netifyd/netifyd.sock in version 5.0.x or earlier.

Terminal - Netify
× 
sudo netcat -U /var/run/netifyd/netifyd.sock | jq       # Version 5.0.x or earlier
sudo netcat -U /var/run/netifyd/netify-sink.sock | jq   # Version 5.2.x or later

You should see a stream of JSON data similar to the following:

Terminal - Netify
× 
{
  "flow": {
    "category": {
      "application": 27,
      "domain": 0,
      "network": 0,
      "protocol": 18
    },
    "detected_application": 10033,
    "detected_application_name": "netify.netify",
    "detected_protocol": 196,
    "detected_protocol_name": "HTTP/S",
    ...
    ..
    .
}

For more information on the types of data objects, review the documentation on the Telemetry types page.

Fast Analysis

The -r flag forces Netify to analyze packets at the same pace at which they were captured. For example, if you have a 35-minute packet capture, this process will take just over 35 minutes.

To modify this behaviour, remove the -r flag. Netify will process your packet capture as fast as it is capable of doing so - constrained by the resources of your system.

Terminal - Netify
× 
sudo netifyd -d -v -t -I /path/to/pcap

Delayed Start

There can be times when a delayed capture start is desirable. The most common case occurs when you are trying to capture output through the sink processor. Binding to a socket cannot be done until the analysis is underway, which makes it difficult to capture output from the beginning of the packet capture.

To address this case, add the --capture-delay 5 argument, where 5 can be any positive integer and represents the time to wait, in seconds, before analysing a capture file.

Terminal - Netify
× 
sudo netifyd --capture-delay 5 -d -v -t -I /path/to/pcap

Ignoring Interfaces

If you are using your agent to capture packets from interfaces in real time, but then want to use the same agent to analyze a packet capture file, it can be advantageous to temporarily disable the agent from listening on interfaces that would otherwise pollute the output.

To solve this case, add the --ignore-interface-configs argument.

Terminal - Netify
× 
sudo netifyd --ignore-interface-configs -d -v -t -I /path/to/pcap

Run Without Sources

If you are using your agent to send analysis to a sink, the agent can terminate before the last capture statistics are relayed to the sink plugin. To prevent this, use the --run-without-sources option. On completing the analysis, the agent will continue to run until the process is cancelled by the user (e.g., CTRL-C or kill -p <>).

Terminal - Netify
× 
sudo netifyd --ignore-interface-configs --run-without-sources -d -v -t -I /path/to/pcap