Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Re-analyzing recordings

Every once in a while, Rayhunter refines its heuristics to detect more kinds of suspicious behavior, and to reduce noise from incorrect alerts.

This means that your old green recordings may actually contain data that is now deemed suspicious, and also old red recordings may become green.

You can re-analyze any old recording inside of Rayhunter by clicking on "N warnings" to expand details, then clicking the "re-analyze" button.

Analyzing recordings on Desktop

If you have a PCAP or QMDL file but no rayhunter, you can analyze it on desktop using the rayhunter-check CLI tool. That tool contains the same heuristics as Rayhunter and will also work on traffic data captured with other tools, such as QCSuper.

Since, 0.6.1, rayhunter-check is included in the release zipfile.

You can build rayhunter-check from source with the following command: cargo build --bin rayhunter-check

Usage

rayhunter-check [OPTIONS] --path <PATH>

Options:
  -p, --path <PATH>   Path to the PCAP, or QMDL file. If given a directory will 
                        recursively scan all pcap, qmdl, and subdirectories 
  -P, --pcapify       Turn QMDL file into PCAP     
      --show-skipped  Show skipped messages
  -q, --quiet         Print only warnings
  -d, --debug         Print debug info 
  -h, --help          Print help
  -V, --version       Print version

Examples

rayhunter-check -p ~/Downloads/myfile.qmdl

rayhunter-check -p ~/Downloads/myfile.pcap

rayhunter-check -p ~/Downloads #Check all files in downloads

rayhunter-check -d -p ~/Downloads/myfile.qmdl #run in debug mode