Traffic Analysis Pcap
Analyze PCAP captures with Wireshark filters, tshark CLI, protocol decoding, file carving, and TLS decryption when investigating incidents or CTF network challenges.
Overview
Traffic Analysis PCAP is an agent skill for the Ship phase that walks you through PCAP repair, Wireshark/tshark protocol analysis, data extraction, and covert-channel detection on network captures.
Install
npx skills add https://github.com/yaklang/hack-skills --skill traffic-analysis-pcapWhat is this skill?
- PCAP repair with pcapfix and magic-byte sanity checks
- Wireshark and tshark filters for HTTP, DNS, FTP, SMTP, USB HID, WiFi, ICMP
- HTTPS/TLS decryption workflows and protocol-specific carve-outs
- Covert channel and DNS tunneling detection heuristics
- Cross-links to memory forensics, steganography, and reverse-shell traffic patterns
- Protocol coverage includes HTTP, DNS, FTP, SMTP, USB HID, WiFi, and ICMP analysis paths
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have a corrupted or overwhelming PCAP and no reliable checklist for filters, decryption, carving, and tunneling detection.
Who is it for?
Solo builders or small teams debugging suspicious traffic, CTF network challenges, or lightweight IR with Wireshark and tshark on hand.
Skip if: Teams that only need high-level security policy without hands-on packet analysis, or apps with no network capture requirement.
When should I use this skill?
Analyzing network captures including Wireshark filters, protocol analysis, data extraction, covert channel detection, PCAP repair, TLS decryption, and tshark command-line analysis.
What do I get? / Deliverables
You get a repeatable forensics workflow—fixed capture, targeted protocol analysis, extracted artifacts, and pointers to correlated security skills.
- Structured analysis steps
- Filter and extraction command recipes
- Pointers to related forensics skills
Recommended Skills
Journey fit
Network forensics and PCAP analysis sit in Ship because they validate what actually crossed the wire before or after release—complementing app-level security reviews. Security subphase covers capture analysis, covert-channel heuristics, and credential extraction from traffic—not day-to-day feature coding.
How it compares
Use as a structured forensics playbook—not a generic “explain this PCAP” chat without filter recipes or CLI commands.
Common Questions / FAQ
Who is traffic-analysis-pcap for?
Developers and security-minded solo builders who analyze PCAPs during incidents, malware research, or forensics-style debugging and want agent-guided Wireshark and tshark steps.
When should I use traffic-analysis-pcap?
Use it in Ship when reviewing captures for breaches or misconfigurations, or in Operate when production traffic anomalies need protocol-level investigation with carving and TLS workflows.
Is traffic-analysis-pcap safe to install?
Review the Security Audits panel on this Prism page and treat the skill as guidance that may suggest shell commands on sensitive capture files in your environment.
SKILL.md
READMESKILL.md - Traffic Analysis Pcap
# SKILL: Traffic Analysis & PCAP — Expert Analysis Playbook > **AI LOAD INSTRUCTION**: Expert traffic analysis and PCAP forensics techniques. Covers PCAP repair, Wireshark essential filters, protocol-specific analysis (HTTP, HTTPS/TLS, DNS, FTP, SMTP, USB HID, WiFi, ICMP), data extraction (file carving, credential harvesting, covert channels), NetworkMiner, and tshark CLI analysis. Base models miss USB keyboard decode patterns, DNS tunneling detection heuristics, and TLS decryption workflows. ## 0. RELATED ROUTING Before going deep, consider loading: - [memory-forensics-volatility](../memory-forensics-volatility/SKILL.md) for correlating memory artifacts with network traffic - [steganography-techniques](../steganography-techniques/SKILL.md) for analyzing files extracted from traffic captures - [network-protocol-attacks](../network-protocol-attacks/SKILL.md) for understanding attack patterns visible in captures - [reverse-shell-techniques](../reverse-shell-techniques/SKILL.md) for identifying shell traffic in captures --- ## 1. PCAP REPAIR ```bash pcapfix corrupted.pcap -o fixed.pcap # repair corrupted PCAP # Magic bytes: d4c3b2a1=pcap(LE), a1b2c3d4=pcap(BE), 0a0d0d0a=pcapng editcap -F pcap capture.pcapng capture.pcap # convert pcapng→pcap mergecap -w merged.pcap file1.pcap file2.pcap # merge captures ``` --- ## 2. WIRESHARK ESSENTIAL FILTERS ### IP / Host Filters ``` ip.addr == 10.0.0.1 # source or destination ip.src == 10.0.0.1 # source only ip.dst == 10.0.0.1 # destination only ip.addr == 10.0.0.0/24 # subnet !(ip.addr == 10.0.0.1) # exclude host ``` ### Protocol Filters ``` http # all HTTP dns # all DNS tcp # all TCP ftp # all FTP smtp # all SMTP tls # all TLS/SSL icmp # all ICMP arp # all ARP ``` ### TCP / Stream ``` tcp.stream eq 5 # follow specific TCP stream tcp.port == 80 # traffic on port 80 tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN packets (connection starts) tcp.analysis.retransmission # retransmitted packets tcp.len > 0 # packets with payload ``` ### HTTP ``` http.request.method == "POST" # POST requests http.request.method == "GET" # GET requests http.response.code == 200 # successful responses http.response.code >= 400 # error responses http.request.uri contains "login" # URI contains string http.host contains "target.com" # specific host http.content_type contains "json" # JSON responses http.cookie contains "session" # session cookies http.request.full_uri # show full URIs (column) ``` ### DNS ``` dns.qry.name contains "evil.com" # specific domain queries dns.qry.type == 1 # A records dns.qry.type == 28 # AAAA records dns.qry.type == 16 # TXT records dns.flags.response == 1 # DNS responses only dns.resp.len > 100 # large DNS responses ``` ### TLS ``` tls.handshake.type == 1 # Client Hello tls.handshake.type == 2 # Server Hello tls.handshake.extensions.server_name # SNI (hostname) tls.handshake.type == 11 # Certificate ``` ### Content Search ``` frame contains "password" # search in raw bytes frame contains "flag{"