As you perform packet analysis, you will find that a good portion of the analysis you do will happen after your capture. Usually, you will perform several captures at various times, save them, and analyze them all at once. Therefore, Unicorn allows you to save your capture files to be analyzed later. You can also merge multiple capture files.
Options for Capture Files
Saving Capture Files
Ax3soft Unicorn can save packets to memory buffer (default) or disk file. To save a packet capture, click “Capture Option>General”, You should see the General dialog, as shown in Figure 4-1. Next check the Capture to disk option and enter a location to save your packet capture, that’s ok.
Figure 4-1: The Save File As dialog allows you to save your packet captures.
Exporting Capture Files
One of the more powerful features is the ability to export a specific packets. This is a great way to thin bloated packet capture files. You can choose to export only packets as the result of a display filter (filters are discussed later in this chapter). To export your packet capture, choose Export All / Export Selected menu, and then select the format for the exported file.
Figure 4-2: Export packets to disk file
Merging Capture Files
Certain types of analysis require the ability to merge multiple capture files. This is a common practice when comparing two data streams or combining streams of the same traffic that were captured separately. Unicorn do this with packets playback feature. When playback multiple packet files and check capture to disk option, Unicorn will save all packets play backed to a file.
How to Playback Packets Captured
This section mainly describes how to playback packets captured step by step. Unicorn analyzes not only live network data but also packets captured; including packets captured by Unicorn as well as packets captured by other programs, such as, Wireshark, Omnipeek and other packet files. To playback packets, follow the steps below:
1. Choose “analysis” tab of ribbon section and click the “Playback” button to show “Capture Option” window. To do this, you can also click “Playback” button in “Start Page” window.
2. Select packets file to be played back. Unicorn can playback continuously multiple files. When multiple packet files are played back, packets will be played back according to time stamps, instead of file listing order in the packet file list.
3.Click the “OK” button to start analysis. It is default to analyze all packets and save them to memory buffer, if you just want to analyze some specific packets, you should use packet filters. Click “Creating Filters” for details. Or if you want to save packets to a disk file, click “Capture Option>General” for details.
· Append: Append files to be played back.
· Remove: Removes the selected packet file from the list.
· Remove All: Empties the packet file list.