Analyze pcaps in 3 simple steps using Security Onion's improved so-import-pcap!

In February 2018, we released an initial version of so-import-pcap to allow you to easily import pcap files into Security Onion while preserving original timestamps.  Then in February 2019, we totally revamped so-import-pcap to make it much easier, faster, and have better error handling!

Our most recent ISO image includes the latest version of so-import-pcap and one of the new features is the ability to automatically run Setup for you.  This means that you can now analyze pcap files in Security Onion in just 3 simple steps!

1. install our most recent ISO image
2. sudo so-import-pcap /path/to/pcap/file
3. log into Squert and Kibana to review alerts and logs with original timestamps

Another big difference in this new version of so-import-pcap is that we've drastically improved performance by switching to Elasticsearch ingest node parsing.  Logstash now initializes in just a few seconds and your NIDS alerts and Bro logs can be found in Kibana shortly thereafter.  This also heavily reduces the resource requirements.  In the final screenshot below, you'll notice that we're using just over 3GB RAM (instead of the 8GB RAM that we would recommend for the previous version of so-import-pcap).

Finally, this new so-import-pcap should now handle errors much more gracefully.  For example, corrupt pcap files are now automatically fixed using pcapfix.

As a reminder, so-import-pcap is NOT intended to run on your existing production deployment.  Instead, it is intended for standalone systems designated for so-import-pcap.  

Screenshot Tour

so-import-pcap warns before making any changes

so-import-pcap can now run Setup automatically for you

When so-import-pcap is complete, it will provide a hyperlink to view all data in Kibana

Kibana and Squert displaying logs and alerts while using just over 3GB RAM