CapMe

Description

CapME is a web interface that allows you to:

view a pcap transcript rendered with tcpflow
view a pcap transcript rendered with Bro (especially helpful for dealing with gzip encoding)
download a pcap

Accessing

You can pivot to CapME from a NIDS alert in Squert or from any log in ELSA that has timestamp, source IP, source port, destination IP, and destination port.

Logging In

When prompted for username/password, simply enter your normal Sguil/Squert/ELSA username/password.

DNS lookups

CapMe displays source IP address and destination IP address including their DNS lookups. You can disable these DNS lookups as shown here: https://github.com/Security-Onion-Solutions/security-onion/issues/905

Getting Started

Update/Upgrade

Analyst Tools

Network Visibility

Host Visibility

Elastic Stack

Customizing for your network

Tuning

Tricks and Tips

Help

Issues

Issues

Other

Tools

Scripts

so-import-pcap

CapMe

Description

Accessing

Logging In

DNS lookups

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!