#Web Traffic Data Export to MAFF - Installation - HW specification - Usage - Reference ### Implementation MAFF Snooper is implemented in C# language and forms a plug-in module for the security framework NetFox, which is also implemented in C# language. ### Installation The installation of MAFF module is dependent on NetFox framework and is stored on the Team Foundation server of this framework. To acquire the module implementation you need an authentication for this TFS server. Next you have to download branch DevelopSnooperMAFF, used during the evolution of the module. After downloading branch you need to complete these prerequisites for transfering a solution: - Generate NBAR with the custom tool, which is located in the project Framework/ApplicationRecognizer/NBAR/misc/nbar11.xsd -> right-click and run a custom tool - Unload the plug-ins in the project Detective/Plugins -> Unload projects - For Nuget CefSharp, which is required to run MAFFSnooper, you need to choose platformx86 and set default project to Detective/Plugins After transfering a solution, CefSharp Nuget focused on WFP visualisation will automatically start downloading. It is also convenient to check the correctness of their process. The installation is automatic and there is no need for other interferences. To translate, you simply need to launch pro SnooperMAFF. Thanks to dependencies, the projects HTTPSnooper (input data), Detective, Framework, Core, PMlib, Logger a Persistence will translate. You only need to launch NetFox Framework after the translation. ### HW požadavky HW requirements specified for NetFox Framework also apply for SnooperMAFF modul. Viz-> http://netfox.fit.vutbr.cz/Download.en.html Recommended configuration: 1 gigahertz (GHz) 64-bit (x64) processor 8 gigabyte (GB) RAM 64 GB available SSD hard disk space DirectX 9 graphics device with WDDM 1.0 or higher driver 1,920 x 1,200 with true color ### Application It is neccessary to create a workspace to work with the outputs of individual snoopers during the launch of NetFox Framework. You will beeither left with default workspace or create your own based on your preferences. It is possible to move onto the workspace after its creation. Workspace is made of dozens of functions and sets. MAFF module includes settings, which can be found in Menu -> View-> Settings -> MAFFSettings. Settings allow to change the basic characteristics of MAFF module datamining, so that each individual input archive is as accurate as possible. The addition of the so-called captures is important for MAFF module, because these captures contain the captured communication. These can be added through the add button (visualised by the icon +) beneath the aforementioned captures. Typically, they are files containing the captured communication in PCAP or PCAPNG format. After the addition of captures you need to run data mining. You need to select HTTP snoooper and MAFF snooper. HTTP snooper is necessary due to the direct dependence of MAFF snooper on its data. Once the individual snoopers (modules) are chosen, datamining will be launched through the button Actualize Export Set. After the completion of datamining, browsable MAAF archive will appear in the exports. Every archive has three basic visualisations. The first is generic (inherited) for every exportable object of Netfox Framework. The next focus on the visualisation of the archive contents. You can see individual archive objects in the archive contents. Every object displays its basic attributes and can be separately launched through a link in a default application that displays it. The last visualisation of any individual archive is the visualisation of a web page in the state of its capture. Every archive contains snapshots, which can be switched through buttons. Buttons can used either in content archive visualisation display or in the final web page visualisation display. ### Reference JANEČEK, Vít. Web Traffic Data Export to MAFF. Brno, 2016. Bachelor Thesis Vysoké učení technické v Brně, Fakulta informačních technologií. Supervisor Veselý Vladimír.