Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From pcap-analyzer
Analyzes pcap/pcapng files using scapy for digital forensics: extracts streams, DNS, HTTP, credentials, files; detects anomalies like C2 beaconing, port scanning, exfiltration.
npx claudepluginhub sandbornm/my-claude-skills --plugin pcap-analyzerHow this skill is triggered — by the user, by Claude, or both
Slash command
/pcap-analyzer:pcap-analyzerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Perform automated network traffic analysis on pcap/pcapng files using scapy.
scripts/analysis_scripts/analyze_all.pyscripts/analysis_scripts/export_endpoints.pyscripts/analysis_scripts/export_statistics.pyscripts/analysis_scripts/extract_credentials.pyscripts/analysis_scripts/extract_dns.pyscripts/analysis_scripts/extract_files.pyscripts/analysis_scripts/extract_http.pyscripts/analysis_scripts/extract_streams.pyscripts/analysis_scripts/find_anomalies.pyscripts/pcap-analyze.shPerforms forensic analysis of PCAP/PCAPNG files using Wireshark, tshark, tcpdump, scapy to reconstruct communications, extract files, identify malicious traffic, and detect data exfiltration or C2 activity.
Analyze network packet captures (PCAP/PCAPNG) using Wireshark, tshark, and tcpdump for forensic investigation of network communications, file extraction, and threat detection.
Analyzes PCAP files with Wireshark and tshark for network forensics: filters suspicious traffic like DNS/HTTP/C2, reconstructs events, extracts files/credentials, detects beacons.
Share bugs, ideas, or general feedback.
Perform automated network traffic analysis on pcap/pcapng files using scapy. Extract streams, DNS, HTTP, credentials, and files. Detect anomalies like beaconing, port scanning, C2 patterns, and data exfiltration.
| Task | Command |
|---|---|
| Full analysis | {baseDir}/scripts/pcap-analyze.sh -s analyze_all.py -o ./output capture.pcap |
| Extract TCP/UDP streams | {baseDir}/scripts/pcap-analyze.sh -s extract_streams.py -o ./output capture.pcap |
| Extract DNS queries | {baseDir}/scripts/pcap-analyze.sh -s extract_dns.py -o ./output capture.pcap |
| Extract HTTP traffic | {baseDir}/scripts/pcap-analyze.sh -s extract_http.py -o ./output capture.pcap |
| Map endpoints | {baseDir}/scripts/pcap-analyze.sh -s export_endpoints.py -o ./output capture.pcap |
| Traffic statistics | {baseDir}/scripts/pcap-analyze.sh -s export_statistics.py -o ./output capture.pcap |
| Detect anomalies | {baseDir}/scripts/pcap-analyze.sh -s find_anomalies.py -o ./output capture.pcap |
| Find credentials | {baseDir}/scripts/pcap-analyze.sh -s extract_credentials.py -o ./output capture.pcap |
| Carve files | {baseDir}/scripts/pcap-analyze.sh -s extract_files.py -o ./output capture.pcap |
pip install scapybrew install wireshark / apt install tshark){baseDir}/scripts/pcap-analyze.sh [options] <capture_file>
Options:
-o, --output <dir> — Output directory for results (default: current dir)-s, --script <name> — Analysis script to run (can be repeated)-a, --script-args <args> — Arguments for the last specified script--bpf <filter> — BPF filter to apply before analysis--timeout <seconds> — Analysis timeout-v, --verbose — Verbose output-h, --help — Show helpComprehensive first-pass analysis. Best for initial triage of unknown captures.
Output files:
{name}_summary.txt — Capture overview: packet count, time range, duration, data rates{name}_protocols.json — Protocol distribution by layer{name}_endpoints.json — Top talkers by packet and byte count{name}_conversations.json — Top IP-pair conversations{name}_interesting.txt — Notable findings categorized as cleartext protocols, unusual ports, large transfers, suspicious DNS, tunneling indicatorsReassemble TCP and UDP streams. Pass --host <ip> or --port <port> to
filter, --max-streams <n> to limit output.
Output: {name}_streams.json + {name}_stream_{n}.bin per stream
Extract all DNS queries and responses with full record detail.
Output:
{name}_dns.json — Queries, responses, record types, TTLs{name}_domains.txt — Unique domains queried{name}_dns_timeline.json — Temporal query analysisExtract HTTP transactions from raw TCP payloads. Handles chunked transfer encoding.
Output: {name}_http.json + {name}_http_bodies/ directory
Map all network endpoints with service identification. Includes MAC addresses, ports, protocols, subnets, and connection 5-tuples.
Output: {name}_endpoints.json
Detailed traffic statistics: protocol hierarchy, packet size distribution, timing analysis, TCP flag distribution, TTL distribution with OS fingerprint hints.
Output: {name}_statistics.json
Detect suspicious patterns: C2 beaconing (low coefficient of variation in connection intervals), port scanning, data exfiltration, DNS tunneling (high-entropy long subdomain labels), unusual protocol usage, cleartext sensitive data, and TLS anomalies.
Output: {name}_anomalies.json
Find cleartext credentials: HTTP Basic/Digest auth, form POST data, FTP USER/PASS, SMTP AUTH, Telnet logins, session cookies, API keys. Passwords are partially redacted in output.
Output: {name}_credentials.json
Carve files from HTTP responses, FTP transfers, SMTP attachments, and magic-byte detection in TCP streams. Computes MD5 hashes. Supports PDF, ZIP, PNG, JPEG, PE, ELF, GIF, GZIP, and more.
Output: {name}_files.json + {name}_extracted/ directory
mkdir -p ./analysis
{baseDir}/scripts/pcap-analyze.sh -s analyze_all.py -o ./analysis capture.pcap
cat ./analysis/capture_summary.txt
cat ./analysis/capture_interesting.txt
{baseDir}/scripts/pcap-analyze.sh -s find_anomalies.py -o ./c2 capture.pcap
{baseDir}/scripts/pcap-analyze.sh -s extract_dns.py -o ./c2 capture.pcap
cat ./c2/capture_anomalies.json | jq '.beaconing'
cat ./c2/capture_anomalies.json | jq '.data_exfiltration'
{baseDir}/scripts/pcap-analyze.sh -s extract_http.py -s extract_files.py -o ./files capture.pcap
cat ./files/capture_files.json | jq '.[].filename'
ls ./files/capture_extracted/
{baseDir}/scripts/pcap-analyze.sh -s extract_credentials.py -o ./creds capture.pcap
cat ./creds/capture_credentials.json | jq 'to_entries | map(select(.value | length > 0))'
mkdir -p ./forensics
{baseDir}/scripts/pcap-analyze.sh \
-s analyze_all.py \
-s export_endpoints.py \
-s extract_dns.py \
-s find_anomalies.py \
-s extract_credentials.py \
-s extract_files.py \
-o ./forensics evidence.pcap
{baseDir}/scripts/pcap-analyze.sh \
--bpf "host 192.168.1.100" \
-s analyze_all.py \
-o ./host_analysis capture.pcap
{baseDir}/scripts/pcap-analyze.sh \
-s extract_streams.py \
-a "--host 192.168.1.100" \
-o ./host_analysis capture.pcap
pip install scapy
For captures over 100MB, use BPF filters to narrow scope:
{baseDir}/scripts/pcap-analyze.sh --bpf "tcp port 80" -s extract_http.py capture.pcap
Or use individual scripts instead of analyze_all.py.
chmod 644 capture.pcap
# Or run with sudo if needed
tshark is optional. All scripts work with scapy alone. For best results:
# macOS
brew install wireshark
# Debian/Ubuntu
sudo apt install tshark
# Fedora/RHEL
sudo dnf install wireshark-cli
--bpf to focus on specific hosts or protocols