{"id":13639,"date":"2022-08-04T22:53:53","date_gmt":"2022-08-04T19:53:53","guid":{"rendered":"https:\/\/kifarunix.com\/?p=13639"},"modified":"2024-03-09T21:02:47","modified_gmt":"2024-03-09T18:02:47","slug":"analyze-pcap-files-using-malcolm-network-traffic-analysis-tool","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/analyze-pcap-files-using-malcolm-network-traffic-analysis-tool\/","title":{"rendered":"Analyze PCAP Files using Malcolm Network Traffic Analysis tool"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to analyze PCAP files using Malcolm network traffic analysis tool. <a href=\"https:\/\/github.com\/cisagov\/Malcolm\" target=\"_blank\" rel=\"noreferrer noopener\">Malcolm<\/a> can be used to analyze offline full PCAP files or can be used to monitor and analyze live network traffic. Malcolm is integrated with Suricata and Zeek (formerly Bro). These two tools can be used to analyze PCAP files.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyze PCAP Files using Malcolm<\/h2>\n\n\n\n<p>As already mentioned, Malcolm can analyze already captured network traffic in PCAP files or can do live network traffic analysis.<\/p>\n\n\n\n<p>In this tutorial, we will show you how to use Malcolm to analyze offline PCAPs. This is the network data that has been captured else where in form of packet captures.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install Malcolm Network Traffic Analysis Tool<\/h3>\n\n\n\n<p>Before you can proceed, you can see how to install Malcolm network traffic analysis tool on your Linux system by following the tutorial below.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-malcolm-network-traffic-analysis-tool-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Malcolm Network Traffic Analysis Tool on Ubuntu 22.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Upload PCAP files to Malcolm<\/h3>\n\n\n\n<p>Our Malcolm server is up and running. Let&#8217;s confirm the status of the docker services;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>docker ps -a<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nCONTAINER ID   IMAGE                                   COMMAND                  CREATED         STATUS                   PORTS                                                                                            NAMES\nee52e3f92ffe   malcolmnetsec\/nginx-proxy:6.2.0         \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   0.0.0.0:443->443\/tcp, 127.0.0.1:5601->5601\/tcp, 0.0.0.0:488->488\/tcp, 127.0.0.1:9200->9200\/tcp   malcolm-nginx-proxy-1\n7ba1348383fd   malcolmnetsec\/filebeat-oss:6.2.0        \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   127.0.0.1:5045->5045\/tcp                                                                         malcolm-filebeat-1\nd7c2047fc335   malcolmnetsec\/suricata:6.2.0            \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)                                                                                                    malcolm-suricata-1\na76d195cd9c8   malcolmnetsec\/dashboards:6.2.0          \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   5601\/tcp                                                                                         malcolm-dashboards-1\n7b4c795e0488   malcolmnetsec\/file-upload:6.2.0         \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   80\/tcp, 127.0.0.1:8022->22\/tcp                                                                   malcolm-upload-1\n2e9926a473c5   malcolmnetsec\/zeek:6.2.0                \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)                                                                                                    malcolm-zeek-1\n48d1795e679d   malcolmnetsec\/logstash-oss:6.2.0        \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   9001\/tcp, 127.0.0.1:5044->5044\/tcp, 9600\/tcp                                                     malcolm-logstash-1\nee660d1f4be2   malcolmnetsec\/arkime:6.2.0              \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   8000\/tcp, 8005\/tcp, 8081\/tcp                                                                     malcolm-arkime-1\n6d9cca0d5884   malcolmnetsec\/dashboards-helper:6.2.0   \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   28991\/tcp                                                                                        malcolm-dashboards-helper-1\nb747c842f7e0   malcolmnetsec\/pcap-monitor:6.2.0        \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   30441\/tcp                                                                                        malcolm-pcap-monitor-1\n5cfb042f6d9b   malcolmnetsec\/zeek:6.2.0                \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes                                                                                                              malcolm-zeek-live-1\n8225437358b4   malcolmnetsec\/file-monitor:6.2.0        \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   3310\/tcp, 8440\/tcp                                                                               malcolm-file-monitor-1\n7868bfe4043c   malcolmnetsec\/name-map-ui:6.2.0         \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   8080\/tcp                                                                                         malcolm-name-map-ui-1\n0f5344b838b7   malcolmnetsec\/htadmin:6.2.0             \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   80\/tcp                                                                                           malcolm-htadmin-1\na6f88f762a11   malcolmnetsec\/api:6.2.0                 \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   5000\/tcp                                                                                         malcolm-api-1\n914f5370fd1f   malcolmnetsec\/freq:6.2.0                \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   10004\/tcp                                                                                        malcolm-freq-1\nf328cd5a04b2   malcolmnetsec\/opensearch:6.2.0          \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes (healthy)   9200\/tcp, 9300\/tcp, 9600\/tcp, 9650\/tcp                                                           malcolm-opensearch-1\ne3f06dcbe75c   malcolmnetsec\/suricata:6.2.0            \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes                                                                                                              malcolm-suricata-live-1\n02af57ce2df9   malcolmnetsec\/pcap-capture:6.2.0        \"\/usr\/local\/bin\/dock\u2026\"   2 minutes ago   Up 2 minutes                                                                                                              malcolm-pcap-capture-1\n<\/code><\/pre>\n\n\n\n<p>Seems all good.<\/p>\n\n\n\n<p>Malcolm ships with web browser-based upload form that enables you to upload PCAP files and Zeek logs for analysis.<\/p>\n\n\n\n<p>You can access this interfaces via the URL <strong>https:\/\/&lt;malcolm-server-or-hostname&gt;\/upload<\/strong>.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-web-upload-ui-1.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1439\" height=\"641\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-web-upload-ui-1.png\" alt=\"Analyze PCAP Files using Malcolm Network Traffic Analysis tool\" class=\"wp-image-13642\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-web-upload-ui-1.png?v=1659632132 1439w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-web-upload-ui-1-768x342.png?v=1659632132 768w\" sizes=\"(max-width: 1439px) 100vw, 1439px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Thus, to analyze a PCAP file using Malcolm;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>click the <strong>Add files&#8230;<\/strong> button and navigate to where you stored your PCAP file on your system.<\/li>\n\n\n\n<li>Select the PCAP file and upload. The file will then be placed on the Malcolm upload queue.<\/li>\n<\/ul>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-web-upload-queue.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1544\" height=\"797\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-web-upload-queue.png\" alt=\"Analyze PCAP Files using Malcolm Network Traffic Analysis tool\" class=\"wp-image-13643\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-web-upload-queue.png?v=1659633312 1544w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-web-upload-queue-768x396.png?v=1659633312 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-web-upload-queue-1536x793.png?v=1659633312 1536w\" sizes=\"(max-width: 1544px) 100vw, 1544px\" \/><\/figure><\/a><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you want, you can add appropriate tags. type the tag name and press enter to save. You can use tags to search your analyzed event data. Tags can also be created automatically based on the name of the PCAP file.<\/li>\n\n\n\n<li>Next, you can also choose whether to analyze the PCAP using Zeek or Suricata. Zeek also supports file extraction. You can also select what type of files to extract.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1511\" height=\"762\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-suricata-zeek-analysis.png\" alt=\"\" class=\"wp-image-13644\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-suricata-zeek-analysis.png?v=1659633369 1511w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-pcap-suricata-zeek-analysis-768x387.png?v=1659633369 768w\" sizes=\"(max-width: 1511px) 100vw, 1511px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click <strong>Start Upload<\/strong> or <strong>Start<\/strong> button to upload and start the analysis of the uploaded PCAP file.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Analyze PCAP Files using Malcolm<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Arkime Sessions<\/h4>\n\n\n\n<p>Once the upload is done, you can navigate back to Arkime or Kibana dashboard to view the analyzed event data.<\/p>\n\n\n\n<p>To check the Arkime sessions, just navigate to <strong>https:\/\/&lt;server-IP&gt;\/sessions<\/strong>.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-arkime-sessions.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1900\" height=\"948\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-arkime-sessions.png\" alt=\"Analyze PCAP Files using Malcolm Network Traffic Analysis tool\" class=\"wp-image-13647\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-arkime-sessions.png?v=1659640015 1900w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-arkime-sessions-768x383.png?v=1659640015 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-arkime-sessions-1536x766.png?v=1659640015 1536w\" sizes=\"(max-width: 1900px) 100vw, 1900px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>By default, Arkime shows data for last one hour time frame. Click the clock (as shown in the screenshot above) to adjust time frame to see more events.<\/p>\n\n\n\n<p>You can then utilize Arkime filters to analyze your traffic. For example, let us try to find web related traffic using the filter below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>port.dst == 80 || port.dst == 443<\/code><\/pre>\n\n\n\n<p>Click search or press enter once you enter the filter to filter the events. You can click <strong>Databytes\/Bytes<\/strong> to sort the events in ascending\/descending order (identify top talkers).<\/p>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-arkime-traffic-filter.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1902\" height=\"949\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-arkime-traffic-filter.png\" alt=\"Analyze PCAP Files using Malcolm Network Traffic Analysis tool\" class=\"wp-image-13649\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-arkime-traffic-filter.png?v=1659640200 1902w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-arkime-traffic-filter-768x383.png?v=1659640200 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-arkime-traffic-filter-1536x766.png?v=1659640200 1536w\" sizes=\"(max-width: 1902px) 100vw, 1902px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>As you can see from the above, there are some interesting information the traffic. You can see some executable files. Most likely someone downloaded a malware!<\/p>\n\n\n\n<p>You can click on the <strong>+<\/strong> button against the event session to check more details.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/sample-web-traffic-session.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1904\" height=\"1930\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/sample-web-traffic-session.png\" alt=\"Analyze PCAP Files using Malcolm Network Traffic Analysis tool\" class=\"wp-image-13648\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/sample-web-traffic-session.png?v=1659640100 1904w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/sample-web-traffic-session-768x778.png?v=1659640100 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/sample-web-traffic-session-1515x1536.png?v=1659640100 1515w\" sizes=\"(max-width: 1904px) 100vw, 1904px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>You can drill down further on the event sessions available.<\/p>\n\n\n\n<p>For example, these are sample Arkime search filters;<\/p>\n\n\n\n<p>Filter for an IP<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip.src == IP<\/code><\/pre>\n\n\n\n<p>To filter for an IP or another IP;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip.src == IP || ip.src == IP<\/code><\/pre>\n\n\n\n<p>An IP and an IP;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip.src == IP &amp;&amp; ip.src == IP<\/code><\/pre>\n\n\n\n<p>Not an IP;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip.src != IP<\/code><\/pre>\n\n\n\n<p>Sample  keyword in a field;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tags == \"*sample*\"<\/code><\/pre>\n\n\n\n<p>Field exists;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>suricata.signature == EXISTS! <\/code><\/pre>\n\n\n\n<p>You can negate the above;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>suricata.signature != EXISTS! <\/code><\/pre>\n\n\n\n<p>Search for specific event field. E.g if specific log type is available;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>event.dataset == ssh<\/code><\/pre>\n\n\n\n<p>Search for range in a field;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>email.subject.cnt &gt; 0<\/code><\/pre>\n\n\n\n<p>And many more!!<\/p>\n\n\n\n<p>You can also go through other Arkime menu items to learn more.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Viewing Event Data on OpenSearch Kibana Dashboards<\/h4>\n\n\n\n<p>You can also go to Kibana to check events. Navigate to <strong>https:\/\/&lt;server-IP&gt;\/dashboards<\/strong><\/p>\n\n\n\n<p>Overview of the events grouped into various dashboards;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/Overview-Malcolm-Dashboards.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1906\" height=\"2546\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/Overview-Malcolm-Dashboards.png\" alt=\"Analyze PCAP Files using Malcolm Network Traffic Analysis tool\" class=\"wp-image-13650\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/Overview-Malcolm-Dashboards.png?v=1659640267 1906w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/Overview-Malcolm-Dashboards-768x1026.png?v=1659640267 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/Overview-Malcolm-Dashboards-1150x1536.png?v=1659640267 1150w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/Overview-Malcolm-Dashboards-1533x2048.png?v=1659640267 1533w\" sizes=\"(max-width: 1906px) 100vw, 1906px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>You can also navigate to Kibana Discover tab where you can search for the events.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1914\" height=\"777\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/kibana-discover.png\" alt=\"\" class=\"wp-image-13651\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/kibana-discover.png?v=1659640299 1914w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/kibana-discover-768x312.png?v=1659640299 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/kibana-discover-1536x624.png?v=1659640299 1536w\" sizes=\"(max-width: 1914px) 100vw, 1914px\" \/><\/figure>\n\n\n\n<p>You can further drill down to analyse your traffic.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1897\" height=\"941\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/kibana-discover-events.png\" alt=\"\" class=\"wp-image-13652\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/kibana-discover-events.png?v=1659640322 1897w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/kibana-discover-events-768x381.png?v=1659640322 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/kibana-discover-events-1536x762.png?v=1659640322 1536w\" sizes=\"(max-width: 1897px) 100vw, 1897px\" \/><\/figure>\n\n\n\n<p>Click on the event <strong>&gt;<\/strong> button to see more details;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-kibana-event-details.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1903\" height=\"4233\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-kibana-event-details.png\" alt=\"\" class=\"wp-image-13654\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-kibana-event-details.png?v=1659642649 1903w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-kibana-event-details-768x1708.png?v=1659642649 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-kibana-event-details-691x1536.png?v=1659642649 691w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/malcolm-kibana-event-details-921x2048.png?v=1659642649 921w\" sizes=\"(max-width: 1903px) 100vw, 1903px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>You can also filter events based on the available fields for example to search for web traffic events, use the search filter;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>destination.port: (80 OR 443)<\/code><\/pre>\n\n\n\n<p>To add more, for example IP;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>destination.port: (80 OR 443) AND (source.ip: 65.21.51.213 OR destination.ip: 6x.2x.5x.2x3 )<\/code><\/pre>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/filtering-kibana-events.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1892\" height=\"1729\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/filtering-kibana-events.png\" alt=\"\" class=\"wp-image-13655\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/filtering-kibana-events.png?v=1659642688 1892w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/filtering-kibana-events-768x702.png?v=1659642688 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/filtering-kibana-events-1536x1404.png?v=1659642688 1536w\" sizes=\"(max-width: 1892px) 100vw, 1892px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>You can also choose the fields to display from the right pane.<\/p>\n\n\n\n<p>And that brings us to the end of this tutorial on how to analyze PCAP files using Malcolm.<\/p>\n\n\n\n<p>That is just a tip of the iceberg. Continue to explore this awesome Malcolm tool!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/analyze-network-traffic-using-brim-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">Analyze Network Traffic Using Brim Security<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/analyze-network-traffic-using-zeek\/\" target=\"_blank\" rel=\"noreferrer noopener\">Analyze Network Traffic using Zeek<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to analyze PCAP files using Malcolm network traffic analysis tool. Malcolm can be used to analyze offline full<\/p>\n","protected":false},"author":3,"featured_media":13636,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,63],"tags":[5626,5628,5629,5627],"class_list":["post-13639","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-networking","tag-analyse-pcap-files-offline","tag-arkime-pcap-file-analysis","tag-arkme-search-filters","tag-malcolm-pcap-file-analysis","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13639"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=13639"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13639\/revisions"}],"predecessor-version":[{"id":20607,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/13639\/revisions\/20607"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/13636"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=13639"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=13639"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=13639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}