software

The NTPAC tool is intended for a distributed processing of captured computer network communication. Typical network forensic analysis of captured communication on only one machine is very resource demanding and can be done only up to a specific limit even with a very powerful machine; we solve this issue with a distributed computation that scales horizontally. NTPAC processes data in the form of PCAP files with captured computer network communication, or it can intercept data directly on the wire.  Each processed packet is inherently routed to a particular working node which collects all the packets belonging to a particular conversation and conducts defragmentation and reassembling which are necessary preprocessing operations. Data are stored in a distributed Cassandra database. The actual extraction of application protocols occurs consequently after the data are stored in the database. This ensures a higher degree of fine resource utilization and emphasizes the paramount role of complete data preprocessing and capturing so non-packet gets logs. We recognize two types of application protocols - text-based and binary. The text-based protocols are processed by handwritten application protocol parsers based on our stream interface that serves preprocessed, reconstructed data. The binary protocols are processed by parsers which are automatically generated using the Kaitai tool. The combination of these approaches ensures easy extensibility of the NTPAC tool.

Network forensics, Network traffic processing, Actor model, Distributed Computing

5. 12. 2018

https://github.com/nesfit/NTPAC

K využití výsledku jiným subjektem je vždy nutné nabytí licence

Poskytovatel licence na výsledek nepožaduje licenční poplatek

https://github.com/nesfit/NTPAC