We're excited to release AppPacCap to the masses. AppPacCap is an application packet capture framework designed to allow for targeted packet captures through a RESTful API and extensible front-end. If that doesn't make sense, don't worry because if you ever used Wireshark you can use AppPacCap. Currently only supports 64-bit systems but we should have a 32-bit version at some point. You can check out the documentation and video over at https://www.heidef.com and download it to try for yourself. Cheers!
I have never actually used a tool like Wireshark, but what exactly can you do with, can you catch malware?
Kind of but not directly. Packet capture tools have multiple uses from network troubleshooting to malware analysis but by itself, a tool like Wireshark isn't going to tell you if traffic is malicious. You would use the captures and run them through tools like Snort (if not sniffing directly) to identify the malicious packets.
Wait a minute. I must be slipping. Looks like Heilig Defense is been busy at it as usual. Will enjoy to have a look at the doc n app of this first release, however something else caught the attention too. I must admit and admire, Memory Sentry looks to be worth keeping an eye out for.
Will check it out fer sure and also keep my eye on Memory Sentry. @Rasheed187 - why not give it a try? Such products come in handy on occasion.
Starting AppPacCap update... [*] Validating manifest integrity. [*] Extracting data to 'C:\Program Files\Heilig Defense, LLC\AppPacCap\http\'. [!] Could not extract zip contents. [!] Update was not successful!
OK I see. Does it also need to inject code into the browser in order to monitor traffic? I believe it's more geared towards experts.
I wouldn't say just experts but AppPacCap currently is not an everyday tool designed to protect a system. The cool thing with AppPacCap though is it provide a powerful base that can easily be extended to create functional tools that could provide insight and protection against threats. We plan to expand its capabilities so that blocking actions can occur which will make it much more usable from a security point of view. Our hope is that by providing a powerful base that abstracts the networking details away, that skilled devs will create front-ends that leverage the capabilities into an everyday tool that non-experts can use. To answer your other question, it does not inject into a browser. It uses a driver to listen to network comms at a low level. Browser injection is an option if drivers were not an option but processes other than browsers communicate on the network and we want to make sure we capture everything.
It was a bug in the installer. It doesn't like if the 'http' directory already exists. Next update will have it fixed along with some cool new features like file extraction and host fingerprinting.
Great. Will like to put it thru paces on the next release for sure. Just been so swamped with testing NVT builds and forming a new Browser to get used to again, but im a quickly catching up and getting up to speed again, Hooray.
it's good, but the program still does not work for me, the service stops constantly, but even when it's started traffic is not intercepted
It doesn't work for me either. No issue with the service, just doesn't capture any traffic. This is on Windows 8.1 x64.
Do you have NoScript blocking the scripts on the page? On the default web page, are the charts and numbers updating or staying at zero the whole time? If they are not refreshing then it may be an issue with the driver and network adapter. To check if the driver is enabled for your network adapter, first right click on the adapter icon in the task bar and click 'Open Networking and Sharing Center'. Then on the left side click the 'Change Adapter Settings' link. A new window should open with the list of your network adapters so then right click on the connected adapter and goto Properties. Once the properties window opens up, you should see 'Heilig Defense AppPacCap LWF' in the list of drivers and it should be checked. If it is not checked, please check it and click Ok. So if that's good, when you started a system capture, did a 'System' tab appear? Is there any error in the browser console? You can find the browser console by going to 'Developer Tools' (Chrome: Ctrl+Shift+I, FireFox: Ctrl+Shift+K).
When you say the service stops constantly, you mean it is crashing? Can you please provide the crash reports from the Windows Event Viewer? What's your OS?
No script blockers. The Connections value changes frequently and the process list appears. However, Packets and Bytes remains at zero. Your driver is ticked. The System tab appears as do the tabs for any processes I choose to Capture. No errors in the browser console. Have tried Chrome and Internet Explorer - exactly the same outcome. Have also installed on a Windows 10 FCU x64 and get exactly the same results. No capture.
Do you have any other capture software, like Wireshark, running? Could you start it again, goto an elevated command prompt and type 'sc query hdapppaccaplwf'? That will show the driver status and if it is loaded and running.
No, no other capture software running on either PC. WinPcap was installed on the 8.1 PC, but I've removed it and it's made no difference. The driver appears to running normally: Code: SERVICE_NAME: hdapppaccaplwf TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
I just tried to install AppPacCap and the setup couldn't find this file "hdapppaccaplwf.inf" This is on windows 10 64bit home
For anyone else that has tried AppPacCap so far (or thinking about it), there seems to be an issue with it attaching to wireless adapters at this time. For wired connections there shouldn't be any problem but if you try it on a wifi connection, then it may fail. We are working a fix and should hopefully have an update soon.
OK thanks for all of the info. I forgot that you don't necessarily need to hook the browser when you already have a driver that can monitor network connections. I believe a tool like Fiddler does hook the browser, what is the difference between the two? BTW, Memory Sentry sounds very interesting!
I haven't used Fiddler in years so I'm not really sure how it works anymore and really can't say the differences. One cool thing that I know it can do is setup a SSL proxy. We are thinking about adding that feature to AppPacCap so you can have SSL inspection. It's very handy with HTTPS becoming more prevalent.
Looking forward to the update as one of my PC's is Wi-Fi only. I've now got it working on my wired PC and I'm really impressed by the smart and intuitive interface. It really is a joy to use and works well in Firefox and Chrome. However in IE the packet information Windows are always blank. This could be caused by my browser settings so I'm not concerned as I mostly use Chrome anyway.
