performing-network-forensics-with-wireshark

Included with Lifetime

$97 forever

Capture and analyze network traffic using Wireshark and tshark to reconstruct network events, extract artifacts, and identify malicious communications.

Generalforensicsnetwork-forensicswiresharkpcappacket-analysistraffic-analysisscripts

What this skill does


# Performing Network Forensics with Wireshark

## When to Use
- When analyzing captured network traffic (PCAP files) from a security incident
- For identifying command-and-control (C2) communications in captured traffic
- When reconstructing data exfiltration activities from packet captures
- During malware analysis to identify network indicators of compromise
- For extracting files, credentials, and artifacts transferred over the network

## Prerequisites
- Wireshark or tshark installed for packet analysis
- PCAP/PCAPNG files from network captures (tcpdump, Wireshark, network TAP)
- NetworkMiner for automated artifact extraction
- Sufficient RAM for large capture files (1GB+ PCAPs need 8GB+ RAM)
- Understanding of TCP/IP, HTTP, DNS, TLS protocols
- GeoIP databases for IP geolocation

## Workflow

### Step 1: Prepare and Validate the Capture File

```bash
# Install Wireshark and tshark
sudo apt-get install wireshark tshark

# Verify the PCAP file
capinfos /cases/case-2024-001/network/capture.pcap

# Output includes: file type, packet count, capture duration, data size
# Example output:
# File name:           capture.pcap
# File type:           Wireshark/tcpdump/... - pcap
# Number of packets:   1,245,678
# File size:           856 MB
# Data size:           823 MB
# Capture duration:    3600.123456 seconds
# First packet time:   2024-01-15 14:00:00.000000
# Last packet time:    2024-01-15 15:00:00.123456

# Hash the PCAP for integrity
sha256sum /cases/case-2024-001/network/capture.pcap \
   > /cases/case-2024-001/network/pcap_hash.txt

# Get a protocol hierarchy statistics overview
tshark -r /cases/case-2024-001/network/capture.pcap -q -z io,phs
```

### Step 2: Filter and Identify Suspicious Traffic

```bash
# Extract conversation statistics
tshark -r /cases/case-2024-001/network/capture.pcap -q -z conv,tcp

# Find top talkers by bytes transferred
tshark -r /cases/case-2024-001/network/capture.pcap -q -z endpoints,ip \
   | sort -t$'\t' -k3 -rn | head -20

# Filter for DNS queries (potential C2 or exfiltration)
tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "dns.qr == 0" \
   -T fields -e frame.time -e ip.src -e dns.qry.name \
   > /cases/case-2024-001/analysis/dns_queries.txt

# Find DNS queries to unusual TLDs or long domain names (DNS tunneling)
tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "dns.qr == 0 && dns.qry.name matches \"[a-z0-9]{30,}\"" \
   -T fields -e frame.time -e ip.src -e dns.qry.name \
   > /cases/case-2024-001/analysis/suspicious_dns.txt

# Filter HTTP traffic
tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "http.request" \
   -T fields -e frame.time -e ip.src -e ip.dst -e http.request.method \
   -e http.host -e http.request.uri -e http.user_agent \
   > /cases/case-2024-001/analysis/http_requests.txt

# Find connections to known malicious ports
tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "tcp.dstport == 4444 || tcp.dstport == 8080 || tcp.dstport == 1337 || tcp.dstport == 6667" \
   -T fields -e frame.time -e ip.src -e ip.dst -e tcp.dstport \
   > /cases/case-2024-001/analysis/suspicious_ports.txt

# Detect beaconing patterns (regular interval connections)
tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "ip.dst == 185.0.0.1" \
   -T fields -e frame.time_epoch \
   > /tmp/beacon_times.txt
```

### Step 3: Extract Files and Objects from Traffic

```bash
# Export HTTP objects (files transferred over HTTP)
tshark -r /cases/case-2024-001/network/capture.pcap \
   --export-objects http,/cases/case-2024-001/analysis/http_objects/

# Export SMB objects
tshark -r /cases/case-2024-001/network/capture.pcap \
   --export-objects smb,/cases/case-2024-001/analysis/smb_objects/

# Export DICOM objects (medical imaging)
tshark -r /cases/case-2024-001/network/capture.pcap \
   --export-objects dicom,/cases/case-2024-001/analysis/dicom_objects/

# Export FTP data transfers
tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "ftp-data" \
   -T fields -e ftp-data.data \
   --export-objects ftp-data,/cases/case-2024-001/analysis/ftp_objects/

# Hash all extracted objects
find /cases/case-2024-001/analysis/http_objects/ -type f -exec sha256sum {} \; \
   > /cases/case-2024-001/analysis/extracted_file_hashes.txt

# Check extracted file hashes against VirusTotal
while read hash filepath; do
   echo "Checking $filepath ($hash)"
   curl -s "https://www.virustotal.com/api/v3/files/$hash" \
      -H "x-apikey: YOUR_API_KEY" | python3 -c "
import json,sys
data=json.load(sys.stdin)
if 'data' in data:
   stats=data['data']['attributes']['last_analysis_stats']
   print(f'  Malicious: {stats[\"malicious\"]}, Undetected: {stats[\"undetected\"]}')
else:
   print('  Not found on VT')
"
done < /cases/case-2024-001/analysis/extracted_file_hashes.txt
```

### Step 4: Reconstruct TCP Streams and Sessions

```bash
# Follow a specific TCP stream (stream index 42)
tshark -r /cases/case-2024-001/network/capture.pcap \
   -q -z "follow,tcp,ascii,42" \
   > /cases/case-2024-001/analysis/stream_42.txt

# Extract all HTTP request-response pairs for a suspicious host
tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "http && ip.addr == 185.0.0.1" \
   -T fields -e frame.time -e http.request.method -e http.host \
   -e http.request.uri -e http.response.code -e http.content_length \
   > /cases/case-2024-001/analysis/suspicious_http.txt

# Extract TLS/SSL certificate information
tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "tls.handshake.type == 11" \
   -T fields -e ip.dst -e tls.handshake.certificate \
   > /cases/case-2024-001/analysis/tls_certs.txt

# Extract TLS SNI (Server Name Indication) values
tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "tls.handshake.extensions_server_name" \
   -T fields -e frame.time -e ip.src -e ip.dst \
   -e tls.handshake.extensions_server_name \
   > /cases/case-2024-001/analysis/tls_sni.txt

# Extract credentials from unencrypted protocols
tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "ftp.request.command == \"USER\" || ftp.request.command == \"PASS\"" \
   -T fields -e frame.time -e ip.src -e ftp.request.command -e ftp.request.arg

tshark -r /cases/case-2024-001/network/capture.pcap \
   -Y "http.authorization" \
   -T fields -e frame.time -e ip.src -e http.host -e http.authorization
```

### Step 5: Use NetworkMiner for Automated Analysis

```bash
# Install NetworkMiner (Mono required on Linux)
sudo apt-get install mono-complete
wget https://www.netresec.com/?download=NetworkMiner -O NetworkMiner.zip
unzip NetworkMiner.zip -d /opt/NetworkMiner/

# Run NetworkMiner
mono /opt/NetworkMiner/NetworkMiner.exe /cases/case-2024-001/network/capture.pcap

# NetworkMiner automatically extracts:
# - Host inventory (OS fingerprinting, open ports)
# - Files transferred over HTTP, FTP, SMB, TFTP
# - Images from web traffic
# - Credentials (plaintext and NTLM hashes)
# - DNS records
# - Session parameters
# - Anomalies and alerts
```

### Step 6: Generate Network Forensics Report

```bash
# Compile findings
cat << 'EOF' > /cases/case-2024-001/analysis/network_forensics_report.txt
NETWORK FORENSICS ANALYSIS REPORT
===================================
Case: 2024-001
Capture File: capture.pcap (856 MB, 1,245,678 packets)
Capture Period: 2024-01-15 14:00 to 15:00 UTC
Analyst: [Examiner Name]

TRAFFIC OVERVIEW:
  Total packets: 1,245,678
  Unique source IPs: 45
  Unique destination IPs: 234
  Protocols: TCP (78%), UDP (18%), ICMP (2%), Other (2%)

C2 COMMUNICATION:
  Destination: 185.0.0.1:443
  Beaconing interval: ~60 seconds
  Total connections: 58
  Data transferred: 4.2 MB outbound, 12.3 MB inbound
  TLS SNI: update-service.malware-c2.com

EXFILTRATION:
  Method: HTTPS POST to 185.0.0.1
  Volume: 4.2 MB over 45 minutes
  Files: 3 ZIP archives extracted from HTTP objects

DNS TUNNELING:
  Suspicious queries to: data.evil-dns.com
  Average subdomain length: 45 characters
  Query count: 1,234 (normal baseline: 50)
EOF
```

## Key Conc

Files: 4

Size: 32.0 KB

Complexity: 65/100

Category: General

Source: https://github.com/mukul975/anthropic-cybersecurity-skills/tree/main/skills/performing-network-forensics-with-wireshark

Related in General

modeling-omnistudio-epc-catalog

Included

Salesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).

Generalscripts

relationship-science-coach

Included

Use this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.

Generalscripts

building-sf-integrations

Included

Salesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).

Generalscripts

venue-templates

Included

Access comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.

Generalscripts

let-fate-decide

Included

Draws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.

Generalscripts

net-ops

Included

Cross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.

Generalscripts