CapME is a web interface that allows you to:
- view a pcap transcript rendered with tcpflow
- view a pcap transcript rendered with Zeek (especially helpful for dealing with gzip encoding)
- download a pcap
You can pivot to CapME from a NIDS alert in Squert or from any log in Kibana that has timestamp, source IP, source port, destination IP, and destination port.
If prompted for username and password, simply enter your normal Sguil/Squert/Kibana username and password.