Back to Details

performing-network-traffic-analysis-with-tshark

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Performing Network Traffic Analysis with TShark

使用TShark进行网络流量分析

Overview

概述

This skill automates packet capture analysis using tshark (Wireshark CLI) and pyshark (Python wrapper). It extracts protocol distribution statistics, identifies suspicious network flows (port scans, beaconing, data exfiltration), extracts IOCs (IPs, domains, URLs), and detects DNS tunneling patterns from PCAP files.
本技能使用tshark(Wireshark命令行界面)和pyshark(Python封装库)实现数据包捕获分析自动化。它可以提取协议分布统计数据,识别可疑网络流量(端口扫描、信标行为、数据泄露),提取IOC(IP、域名、URL),并从PCAP文件中检测DNS隧道模式。

When to Use

使用场景

  • When conducting security assessments that involve performing network traffic analysis with tshark
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing
  • 进行涉及使用tshark的网络流量分析安全评估时
  • 针对相关安全事件执行事件响应流程时
  • 执行定期安全测试或审计活动时
  • 通过实操测试验证安全控制措施时

Prerequisites

前置条件

  • tshark (Wireshark CLI) installed and in PATH
  • Python 3.8+ with pyshark library
  • PCAP or PCAPNG capture file for analysis
  • 已安装tshark(Wireshark CLI)并配置到系统PATH中
  • 安装了Python 3.8+及pyshark库
  • 用于分析的PCAP或PCAPNG捕获文件

Steps

步骤

  1. Extract Protocol Statistics — Generate protocol hierarchy and conversation statistics from the capture
  2. Identify Top Talkers — Rank source/destination IPs by volume and connection count
  3. Detect Suspicious Flows — Flag port scanning patterns, unusual port usage, and high-frequency connections
  4. Extract Network IOCs — Pull unique IPs, domains from DNS queries, and URLs from HTTP traffic
  5. Analyze DNS Traffic — Detect DNS tunneling via high-entropy subdomain queries and excessive TXT records
  6. Generate Analysis Report — Produce structured report with flow summaries and threat indicators
  1. 提取协议统计数据 — 从捕获文件中生成协议层级和会话统计数据
  2. 识别主要通信方 — 按流量大小和连接数对源/目标IP进行排名
  3. 检测可疑流量 — 标记端口扫描模式、异常端口使用情况和高频连接
  4. 提取网络IOC — 提取唯一IP、DNS查询中的域名以及HTTP流量中的URL
  5. 分析DNS流量 — 通过高熵子域名查询和过多TXT记录检测DNS隧道
  6. 生成分析报告 — 生成包含流量摘要和威胁指标的结构化报告

Expected Output

预期输出

  • JSON report with protocol statistics and top talkers
  • Suspicious flow detections with severity ratings
  • Extracted IOCs (IPs, domains, URLs)
  • DNS anomaly analysis results
  • 包含协议统计数据和主要通信方的JSON报告
  • 带有严重程度评级的可疑流量检测结果
  • 提取的IOC(IP、域名、URL)
  • DNS异常分析结果