Search In Packet Logs

You can now search for arbitrary strings in the historical packet logs directly. The only requirements for this search is at least 1 IP address in addition to the search string.

For example in the search below we are looking for the IP address 139.182.44.203 in any packet either sent or received by the host 23.208.142.28. The search is also restricted to an hour worth of packets on 5/7/2018.

searchpayload

So why would you look for an IP address string in the packets? Well, this is normally done when there is more than one proxy and the system is not able to properly identify the proxy chain. In that case the offending IP will be recorded in the x-forwarded-for field of the http headers. Once you find the headers, you can find the real flows and then search again to get the data exchanged specifying the source and destination ports.

But this search feature is much more powerful than that; in fact you can also look retroactively in your packet history using full PERL regular expressions!

If you reached this far in this post, and you are an expert user, you will be wondering about the example above. The search string above would actually match more than  139.182.44.203 because the dots really mean any character (for example 139a182b44c203 would also match). To be more precise you would need to enter:

 139\.182\.44\.203

But suppose you wanted to match a specific set of IP addresses

139.182.44.203
139.182.44.205
139.182.44.206

Using a regular expression you could search for:

139\.182\.44\.20[356]

Just imagine what you could search for when you are hunting down specific strings or patterns.  So, this little new feature (also available through the CLI interface as the option -Q) should really expand the power of our historical packet logging system. It will let you easily dig in your network history for hidden clues of what happened in the past.

Leave a Reply

Your email address will not be published. Required fields are marked *