TShark Network Protocol Analyzer Overview TShark is the command-line network protocol analyzer from the Wireshark project. It provides powerful packet capture and analysis capabilities for security investigations, forensic analysis, and network troubleshooting. This skill covers authorized security operations including traffic analysis, credential extraction, malware detection, and forensic examination. IMPORTANT : Network packet capture may expose sensitive information and must only be conducted with proper authorization. Ensure legal compliance and privacy considerations before capturing ne…

, user_id):\n raise ValueError(\"Invalid user ID format\")\n\n# Use ORM query builders\nuser = User.query.filter_by(id=user_id).first()\n```\n\n**Step 4: Implement least privilege**\n- Database user should have minimum required permissions\n- Use read-only accounts for SELECT operations\n- Never use admin/root accounts for application queries\n\n### XSS Remediation\n\n**Step 1: Enable auto-escaping**\n- Most modern frameworks escape by default\n- Ensure auto-escaping is not disabled\n\n**Step 2: Use framework-specific safe methods**\n\n```javascript\n// React: Use JSX (auto-escapes)\n\u003cdiv>{userInput}\u003c/div>\n\n// Vue: Use template syntax (auto-escapes)\n\u003cdiv>{{ userInput }}\u003c/div>\n\n// Angular: Use property binding (auto-escapes)\n\u003cdiv [textContent]=\"userInput\">\u003c/div>\n```\n\n**Step 3: Sanitize when HTML is required**\n\n```javascript\nimport DOMPurify from 'dompurify';\n\n// Sanitize HTML content\nconst clean = DOMPurify.sanitize(userHTML, {\n ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],\n ALLOWED_ATTR: []\n});\n```\n\n**Step 4: Content Security Policy (CSP)**\n\n```html\n\u003c!-- Add CSP header -->\nContent-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'\n```\n\n---\n\n## Advanced Configuration\n\nThis section contains detailed configuration options and tuning parameters.\n\n### Example: SAST Tool Configuration\n\n```yaml\n# Advanced security scanner configuration\nscanner:\n # Severity threshold\n severity_threshold: MEDIUM\n\n # Rule configuration\n rules:\n enabled:\n - sql-injection\n - xss\n - hardcoded-secrets\n disabled:\n - informational-only\n\n # False positive reduction\n confidence_threshold: HIGH\n exclude_patterns:\n - \"*/test/*\"\n - \"*/tests/*\"\n - \"*/node_modules/*\"\n - \"*.test.js\"\n - \"*.spec.ts\"\n\n # Performance tuning\n max_file_size_kb: 2048\n timeout_seconds: 300\n parallel_jobs: 4\n\n # Output configuration\n output_format: json\n include_code_snippets: true\n max_snippet_lines: 10\n```\n\n---\n\n## Examples and Code Samples\n\nThis section provides comprehensive code examples for various scenarios.\n\n### Example 1: Secure API Authentication\n\n```python\n# Secure API key handling\nimport os\nfrom functools import wraps\nfrom flask import Flask, request, jsonify\n\napp = Flask(__name__)\n\n# Load API key from environment (never hardcode)\nVALID_API_KEY = os.environ.get('API_KEY')\nif not VALID_API_KEY:\n raise ValueError(\"API_KEY environment variable not set\")\n\ndef require_api_key(f):\n @wraps(f)\n def decorated_function(*args, **kwargs):\n api_key = request.headers.get('X-API-Key')\n\n if not api_key:\n return jsonify({'error': 'API key required'}), 401\n\n # Constant-time comparison to prevent timing attacks\n import hmac\n if not hmac.compare_digest(api_key, VALID_API_KEY):\n return jsonify({'error': 'Invalid API key'}), 403\n\n return f(*args, **kwargs)\n return decorated_function\n\[email protected]('/api/secure-endpoint')\n@require_api_key\ndef secure_endpoint():\n return jsonify({'message': 'Access granted'})\n```\n\n### Example 2: Secure Password Hashing\n\n```python\n# Secure password storage with bcrypt\nimport bcrypt\n\ndef hash_password(password: str) -> str:\n \"\"\"Hash a password using bcrypt.\"\"\"\n # Generate salt and hash password\n salt = bcrypt.gensalt(rounds=12) # Cost factor: 12 (industry standard)\n hashed = bcrypt.hashpw(password.encode('utf-8'), salt)\n return hashed.decode('utf-8')\n\ndef verify_password(password: str, hashed: str) -> bool:\n \"\"\"Verify a password against a hash.\"\"\"\n return bcrypt.checkpw(\n password.encode('utf-8'),\n hashed.encode('utf-8')\n )\n\n# Usage\nstored_hash = hash_password(\"user_password\")\nis_valid = verify_password(\"user_password\", stored_hash) # True\n```\n\n### Example 3: Secure File Upload\n\n```python\n# Secure file upload with validation\nimport os\nimport magic\nfrom werkzeug.utils import secure_filename\n\nALLOWED_EXTENSIONS = {'pdf', 'png', 'jpg', 'jpeg'}\nALLOWED_MIME_TYPES = {\n 'application/pdf',\n 'image/png',\n 'image/jpeg'\n}\nMAX_FILE_SIZE = 5 * 1024 * 1024 # 5 MB\n\ndef is_allowed_file(filename: str, file_content: bytes) -> bool:\n \"\"\"Validate file extension and MIME type.\"\"\"\n # Check extension\n if '.' not in filename:\n return False\n\n ext = filename.rsplit('.', 1)[1].lower()\n if ext not in ALLOWED_EXTENSIONS:\n return False\n\n # Check MIME type (prevent extension spoofing)\n mime = magic.from_buffer(file_content, mime=True)\n if mime not in ALLOWED_MIME_TYPES:\n return False\n\n return True\n\ndef handle_upload(file):\n \"\"\"Securely handle file upload.\"\"\"\n # Check file size\n file.seek(0, os.SEEK_END)\n size = file.tell()\n file.seek(0)\n\n if size > MAX_FILE_SIZE:\n raise ValueError(\"File too large\")\n\n # Read content for validation\n content = file.read()\n file.seek(0)\n\n # Validate file type\n if not is_allowed_file(file.filename, content):\n raise ValueError(\"Invalid file type\")\n\n # Sanitize filename\n filename = secure_filename(file.filename)\n\n # Generate unique filename to prevent overwrite attacks\n import uuid\n unique_filename = f\"{uuid.uuid4()}_{filename}\"\n\n # Save to secure location (outside web root)\n upload_path = os.path.join('/secure/uploads', unique_filename)\n file.save(upload_path)\n\n return unique_filename\n```\n\n---\n\n## Best Practices for Reference Documents\n\n1. **Start with \"When to use\"** - Help Claude know when to load this reference\n2. **Include table of contents** - For documents >100 lines\n3. **Use concrete examples** - Code samples with vulnerable and fixed versions\n4. **Map to frameworks** - OWASP, CWE, MITRE ATT&CK for context\n5. **Provide remediation** - Don't just identify issues, show how to fix them\n6. **Organize logically** - Group related content, use clear headings\n7. **Keep examples current** - Use modern patterns and current framework versions\n8. **Be concise** - Even in references, challenge every sentence\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":15672,"content_sha256":"d830809dec44c82770c5ef0fe12831754f113931dc739891a1ec8186aefc629f"},{"filename":"references/WORKFLOW_CHECKLIST.md","content":"# Workflow Checklist Template\n\nThis template demonstrates workflow patterns for security operations. Copy and adapt these checklists to your specific skill needs.\n\n## Pattern 1: Sequential Workflow Checklist\n\nUse this pattern for operations that must be completed in order, step-by-step.\n\n### Security Assessment Workflow\n\nProgress:\n[ ] 1. Identify application entry points and attack surface\n[ ] 2. Map authentication and authorization flows\n[ ] 3. Identify data flows and sensitive data handling\n[ ] 4. Review existing security controls\n[ ] 5. Document findings with framework references (OWASP, CWE)\n[ ] 6. Prioritize findings by severity (CVSS scores)\n[ ] 7. Generate report with remediation recommendations\n\nWork through each step systematically. Check off completed items.\n\n---\n\n## Pattern 2: Conditional Workflow\n\nUse this pattern when the workflow branches based on findings or conditions.\n\n### Vulnerability Remediation Workflow\n\n1. Identify vulnerability type\n - If SQL Injection → See [sql-injection-remediation.md](sql-injection-remediation.md)\n - If XSS (Cross-Site Scripting) → See [xss-remediation.md](xss-remediation.md)\n - If Authentication flaw → See [auth-remediation.md](auth-remediation.md)\n - If Authorization flaw → See [authz-remediation.md](authz-remediation.md)\n - If Cryptographic issue → See [crypto-remediation.md](crypto-remediation.md)\n\n2. Assess severity using CVSS calculator\n - If CVSS >= 9.0 → Priority: Critical (immediate action)\n - If CVSS 7.0-8.9 → Priority: High (action within 24h)\n - If CVSS 4.0-6.9 → Priority: Medium (action within 1 week)\n - If CVSS \u003c 4.0 → Priority: Low (action within 30 days)\n\n3. Apply appropriate remediation pattern\n4. Validate fix with security testing\n5. Document changes and update security documentation\n\n---\n\n## Pattern 3: Iterative Workflow\n\nUse this pattern for operations that repeat across multiple targets or items.\n\n### Code Security Review Workflow\n\nFor each file in the review scope:\n1. Identify security-sensitive operations (auth, data access, crypto, input handling)\n2. Check against secure coding patterns for the language\n3. Flag potential vulnerabilities with severity rating\n4. Map findings to CWE and OWASP categories\n5. Suggest specific remediation approaches\n6. Document finding with code location and fix priority\n\nContinue until all files in scope have been reviewed.\n\n---\n\n## Pattern 4: Feedback Loop Workflow\n\nUse this pattern when validation and iteration are required.\n\n### Secure Configuration Generation Workflow\n\n1. Generate initial security configuration based on requirements\n2. Run validation script: `./scripts/validate_config.py config.yaml`\n3. Review validation output:\n - Note all errors (must fix)\n - Note all warnings (should fix)\n - Note all info items (consider)\n4. Fix identified issues in configuration\n5. Repeat steps 2-4 until validation passes with zero errors\n6. Review warnings and determine if they should be addressed\n7. Apply configuration once validation is clean\n\n**Validation Loop**: Run validator → Fix errors → Repeat until clean\n\n---\n\n## Pattern 5: Parallel Analysis Workflow\n\nUse this pattern when multiple independent analyses can run concurrently.\n\n### Comprehensive Security Scan Workflow\n\nRun these scans in parallel:\n\n**Static Analysis**:\n[ ] 1a. Run SAST scan (Semgrep/Bandit)\n[ ] 1b. Run dependency vulnerability scan (Safety/npm audit)\n[ ] 1c. Run secrets detection (Gitleaks/TruffleHog)\n[ ] 1d. Run license compliance check\n\n**Dynamic Analysis**:\n[ ] 2a. Run DAST scan (ZAP/Burp)\n[ ] 2b. Run API security testing\n[ ] 2c. Run authentication/authorization testing\n\n**Infrastructure Analysis**:\n[ ] 3a. Run infrastructure-as-code scan (Checkov/tfsec)\n[ ] 3b. Run container image scan (Trivy/Grype)\n[ ] 3c. Run configuration review\n\n**Consolidation**:\n[ ] 4. Aggregate all findings\n[ ] 5. Deduplicate and correlate findings\n[ ] 6. Prioritize by risk (CVSS + exploitability + business impact)\n[ ] 7. Generate unified security report\n\n---\n\n## Pattern 6: Research and Documentation Workflow\n\nUse this pattern for security research and documentation tasks.\n\n### Threat Modeling Workflow\n\nResearch Progress:\n[ ] 1. Identify system components and boundaries\n[ ] 2. Map data flows between components\n[ ] 3. Identify trust boundaries\n[ ] 4. Enumerate assets (data, services, credentials)\n[ ] 5. Apply STRIDE framework to each component:\n - Spoofing threats\n - Tampering threats\n - Repudiation threats\n - Information disclosure threats\n - Denial of service threats\n - Elevation of privilege threats\n[ ] 6. Map threats to MITRE ATT&CK techniques\n[ ] 7. Identify existing mitigations\n[ ] 8. Document residual risks\n[ ] 9. Recommend additional security controls\n[ ] 10. Generate threat model document\n\nWork through each step systematically. Check off completed items.\n\n---\n\n## Pattern 7: Compliance Validation Workflow\n\nUse this pattern for compliance checks against security standards.\n\n### Security Compliance Audit Workflow\n\n**SOC 2 Controls Review**:\n[ ] 1. Review access control policies (CC6.1, CC6.2, CC6.3)\n[ ] 2. Verify logical access controls implementation (CC6.1)\n[ ] 3. Review authentication mechanisms (CC6.1)\n[ ] 4. Verify encryption implementation (CC6.1, CC6.7)\n[ ] 5. Review audit logging configuration (CC7.2)\n[ ] 6. Verify security monitoring (CC7.2, CC7.3)\n[ ] 7. Review incident response procedures (CC7.3, CC7.4)\n[ ] 8. Verify backup and recovery processes (A1.2, A1.3)\n\n**Evidence Collection**:\n[ ] 9. Collect policy documents\n[ ] 10. Collect configuration screenshots\n[ ] 11. Collect audit logs\n[ ] 12. Document control gaps\n[ ] 13. Generate compliance report\n\n---\n\n## Pattern 8: Incident Response Workflow\n\nUse this pattern for security incident handling.\n\n### Security Incident Response Workflow\n\n**Detection and Analysis**:\n[ ] 1. Confirm security incident (rule out false positive)\n[ ] 2. Determine incident severity (SEV1/2/3/4)\n[ ] 3. Identify affected systems and data\n[ ] 4. Preserve evidence (logs, memory dumps, network captures)\n\n**Containment**:\n[ ] 5. Isolate affected systems (network segmentation)\n[ ] 6. Disable compromised accounts\n[ ] 7. Block malicious indicators (IPs, domains, hashes)\n[ ] 8. Implement temporary compensating controls\n\n**Eradication**:\n[ ] 9. Identify root cause\n[ ] 10. Remove malicious artifacts (malware, backdoors, webshells)\n[ ] 11. Patch vulnerabilities exploited\n[ ] 12. Reset compromised credentials\n\n**Recovery**:\n[ ] 13. Restore systems from clean backups (if needed)\n[ ] 14. Re-enable systems with monitoring\n[ ] 15. Verify system integrity\n[ ] 16. Resume normal operations\n\n**Post-Incident**:\n[ ] 17. Document incident timeline\n[ ] 18. Identify lessons learned\n[ ] 19. Update security controls to prevent recurrence\n[ ] 20. Update incident response procedures\n[ ] 21. Communicate with stakeholders\n\n---\n\n## Usage Guidelines\n\n### When to Use Workflow Checklists\n\n✅ **Use checklists for**:\n- Complex multi-step operations\n- Operations requiring specific order\n- Security assessments and audits\n- Incident response procedures\n- Compliance validation tasks\n\n❌ **Don't use checklists for**:\n- Simple single-step operations\n- Highly dynamic exploratory work\n- Operations that vary significantly each time\n\n### Adapting This Template\n\n1. **Copy relevant pattern** to your skill's SKILL.md or create new reference file\n2. **Customize steps** to match your specific security tool or process\n3. **Add framework references** (OWASP, CWE, NIST) where applicable\n4. **Include tool-specific commands** for automation\n5. **Add decision points** where manual judgment is required\n\n### Checklist Best Practices\n\n- **Be specific**: \"Run semgrep --config=auto .\" not \"Scan the code\"\n- **Include success criteria**: \"Validation passes with 0 errors\"\n- **Reference standards**: Link to OWASP, CWE, NIST where relevant\n- **Show progress**: Checkbox format helps track completion\n- **Provide escape hatches**: \"If validation fails, see troubleshooting.md\"\n\n### Integration with Feedback Loops\n\nCombine checklists with validation scripts for maximum effectiveness:\n\n1. Create checklist for the workflow\n2. Provide validation script that checks quality\n3. Include \"run validator\" step in checklist\n4. Loop: Complete step → Validate → Fix issues → Re-validate\n\nThis pattern dramatically improves output quality through systematic validation.\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":8390,"content_sha256":"f667c8d5c6e5c50b491643d644082ff202a6bb94476e0e7b648c6d0e5c8a080f"},{"filename":"skill-report.json","content":"{\n \"schema_version\": \"2.0\",\n \"meta\": {\n \"generated_at\": \"2026-01-16T15:09:54.291Z\",\n \"slug\": \"agentsecops-analysis-tshark\",\n \"source_url\": \"https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/offsec/analysis-tshark\",\n \"source_ref\": \"main\",\n \"model\": \"claude\",\n \"analysis_version\": \"3.0.0\",\n \"source_type\": \"community\",\n \"content_hash\": \"322873e3050dffb7765c2b805fb246cbbb076795d3450906eb2f1a3ce2d3ba0e\",\n \"tree_hash\": \"35c82a60e8776874639039fd5cca363c0aa88c11bffce6d1bdacc895223c6543\"\n },\n \"skill\": {\n \"name\": \"analysis-tshark\",\n \"description\": \"Network protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.\\n\",\n \"summary\": \"Network protocol analyzer and packet capture tool for traffic analysis, security investigations, and...\",\n \"icon\": \"🔍\",\n \"version\": \"0.1.0\",\n \"author\": \"AgentSecOps\",\n \"license\": \"MIT\",\n \"category\": \"offsec\",\n \"tags\": [\n \"packet-capture\",\n \"network-analysis\",\n \"forensics\",\n \"tshark\",\n \"wireshark\",\n \"traffic-analysis\"\n ],\n \"supported_tools\": [\n \"claude\",\n \"codex\",\n \"claude-code\"\n ],\n \"risk_factors\": [\n \"external_commands\",\n \"network\",\n \"filesystem\",\n \"env_access\",\n \"scripts\"\n ]\n },\n \"security_audit\": {\n \"risk_level\": \"safe\",\n \"is_blocked\": false,\n \"safe_to_publish\": true,\n \"summary\": \"This is a documentation-only skill containing no executable code. All content describes legitimate defensive security operations using TShark (Wireshark CLI). The static analyzer flagged 298 findings, but all are FALSE POSITIVES because they are detecting example commands and security terminology in documentation, not actual executable code. The skill includes proper authorization warnings, legal compliance guidance, and defensive considerations for protecting networks against unauthorized packet capture.\",\n \"risk_factor_evidence\": [\n {\n \"factor\": \"external_commands\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 298,\n \"line_end\": 298\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 301,\n \"line_end\": 301\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 304,\n \"line_end\": 304\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 307,\n \"line_end\": 307\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 310,\n \"line_end\": 310\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 134,\n \"line_end\": 134\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 250,\n \"line_end\": 250\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 291,\n \"line_end\": 291\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 54,\n \"line_end\": 74\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 74,\n \"line_end\": 95\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 95,\n \"line_end\": 108\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 108,\n \"line_end\": 111\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 111,\n \"line_end\": 118\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 118,\n \"line_end\": 122\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 122,\n \"line_end\": 129\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 129,\n \"line_end\": 135\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 135,\n \"line_end\": 151\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 151,\n \"line_end\": 154\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 154,\n \"line_end\": 162\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 162,\n \"line_end\": 296\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 296,\n \"line_end\": 306\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 306,\n \"line_end\": 309\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 309,\n \"line_end\": 318\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 318,\n \"line_end\": 333\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 333,\n \"line_end\": 342\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 342,\n \"line_end\": 346\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 346,\n \"line_end\": 354\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 354,\n \"line_end\": 358\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 358,\n \"line_end\": 361\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 361,\n \"line_end\": 371\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 371,\n \"line_end\": 404\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 404,\n \"line_end\": 414\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 414,\n \"line_end\": 447\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 447,\n \"line_end\": 451\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 451,\n \"line_end\": 472\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 472,\n \"line_end\": 476\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 476,\n \"line_end\": 537\n },\n {\n \"file\": \"references/WORKFLOW_CHECKLIST.md\",\n \"line_start\": 74,\n \"line_end\": 74\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 79,\n \"line_end\": 79\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 152,\n \"line_end\": 152\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 164,\n \"line_end\": 164\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 36,\n \"line_end\": 51\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 51,\n \"line_end\": 82\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 82,\n \"line_end\": 98\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 98,\n \"line_end\": 111\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 111,\n \"line_end\": 126\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 126,\n \"line_end\": 129\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 129,\n \"line_end\": 130\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 130,\n \"line_end\": 131\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 131,\n \"line_end\": 132\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 132,\n \"line_end\": 133\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 133,\n \"line_end\": 139\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 139,\n \"line_end\": 157\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 157,\n \"line_end\": 160\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 160,\n \"line_end\": 161\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 161,\n \"line_end\": 162\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 162,\n \"line_end\": 163\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 163,\n \"line_end\": 164\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 164,\n \"line_end\": 165\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 165,\n \"line_end\": 171\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 171,\n \"line_end\": 189\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 189,\n \"line_end\": 193\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 193,\n \"line_end\": 208\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 208,\n \"line_end\": 216\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 216,\n \"line_end\": 228\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 228,\n \"line_end\": 232\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 232,\n \"line_end\": 244\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 244,\n \"line_end\": 248\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 248,\n \"line_end\": 260\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 260,\n \"line_end\": 264\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 264,\n \"line_end\": 273\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 273,\n \"line_end\": 281\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 281,\n \"line_end\": 287\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 287,\n \"line_end\": 291\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 291,\n \"line_end\": 297\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 297,\n \"line_end\": 301\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 301,\n \"line_end\": 307\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 307,\n \"line_end\": 311\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 311,\n \"line_end\": 320\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 320,\n \"line_end\": 326\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 326,\n \"line_end\": 338\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 338,\n \"line_end\": 342\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 342,\n \"line_end\": 348\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 348,\n \"line_end\": 354\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 354,\n \"line_end\": 369\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 369,\n \"line_end\": 375\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 375,\n \"line_end\": 396\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 396,\n \"line_end\": 439\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 439,\n \"line_end\": 452\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 452,\n \"line_end\": 456\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 456,\n \"line_end\": 471\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 471,\n \"line_end\": 475\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 475,\n \"line_end\": 487\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 487,\n \"line_end\": 491\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 491,\n \"line_end\": 503\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 503,\n \"line_end\": 507\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 507,\n \"line_end\": 522\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 522,\n \"line_end\": 530\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 530,\n \"line_end\": 539\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 539,\n \"line_end\": 543\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 543,\n \"line_end\": 556\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 556,\n \"line_end\": 563\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 563,\n \"line_end\": 572\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 572,\n \"line_end\": 577\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 577,\n \"line_end\": 587\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 587,\n \"line_end\": 592\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 592,\n \"line_end\": 601\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 601,\n \"line_end\": 606\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 606,\n \"line_end\": 612\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 359,\n \"line_end\": 359\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 441,\n \"line_end\": 441\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 552,\n \"line_end\": 552\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 354,\n \"line_end\": 369\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 439,\n \"line_end\": 452\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 543,\n \"line_end\": 556\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 548,\n \"line_end\": 548\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 544,\n \"line_end\": 544\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 38,\n \"line_end\": 38\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 41,\n \"line_end\": 41\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 87,\n \"line_end\": 87\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 90,\n \"line_end\": 90\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 91,\n \"line_end\": 91\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 94,\n \"line_end\": 94\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 97,\n \"line_end\": 97\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 113,\n \"line_end\": 113\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 116,\n \"line_end\": 116\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 119,\n \"line_end\": 119\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 122,\n \"line_end\": 122\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 125,\n \"line_end\": 125\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 141,\n \"line_end\": 141\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 144,\n \"line_end\": 144\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 147,\n \"line_end\": 147\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 150,\n \"line_end\": 150\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 153,\n \"line_end\": 153\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 156,\n \"line_end\": 156\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 441,\n \"line_end\": 441\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 458,\n \"line_end\": 458\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 477,\n \"line_end\": 477\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 509,\n \"line_end\": 509\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 550,\n \"line_end\": 550\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 564,\n \"line_end\": 565\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 565,\n \"line_end\": 565\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 568,\n \"line_end\": 568\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 569,\n \"line_end\": 569\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 581,\n \"line_end\": 582\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 582,\n \"line_end\": 582\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 594,\n \"line_end\": 594\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 597,\n \"line_end\": 597\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 600,\n \"line_end\": 600\n }\n ]\n },\n {\n \"factor\": \"network\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 240,\n \"line_end\": 240\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 43,\n \"line_end\": 43\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 44,\n \"line_end\": 44\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 45,\n \"line_end\": 45\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 73,\n \"line_end\": 73\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 118,\n \"line_end\": 118\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 119,\n \"line_end\": 119\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 151,\n \"line_end\": 151\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 191,\n \"line_end\": 191\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 192,\n \"line_end\": 192\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 193,\n \"line_end\": 193\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 217,\n \"line_end\": 217\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 260,\n \"line_end\": 260\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 261,\n \"line_end\": 261\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 288,\n \"line_end\": 288\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 6,\n \"line_end\": 6\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 47,\n \"line_end\": 47\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 173,\n \"line_end\": 173\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 195,\n \"line_end\": 195\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 218,\n \"line_end\": 218\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 218,\n \"line_end\": 218\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 365,\n \"line_end\": 365\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 470,\n \"line_end\": 470\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 480,\n \"line_end\": 480\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 483,\n \"line_end\": 483\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 535,\n \"line_end\": 535\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 19,\n \"line_end\": 19\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 20,\n \"line_end\": 20\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 21,\n \"line_end\": 21\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 634,\n \"line_end\": 634\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 635,\n \"line_end\": 635\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 636,\n \"line_end\": 636\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 637,\n \"line_end\": 637\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 638,\n \"line_end\": 638\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 144,\n \"line_end\": 144\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 147,\n \"line_end\": 147\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 611,\n \"line_end\": 611\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 312,\n \"line_end\": 312\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 313,\n \"line_end\": 313\n }\n ]\n },\n {\n \"factor\": \"filesystem\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 323,\n \"line_end\": 323\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 323,\n \"line_end\": 323\n }\n ]\n },\n {\n \"factor\": \"env_access\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 164,\n \"line_end\": 164\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 164,\n \"line_end\": 164\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 148,\n \"line_end\": 148\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 148,\n \"line_end\": 148\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 147,\n \"line_end\": 147\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 162,\n \"line_end\": 162\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 132,\n \"line_end\": 132\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 147,\n \"line_end\": 147\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 148,\n \"line_end\": 148\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 156,\n \"line_end\": 156\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 157,\n \"line_end\": 157\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 162,\n \"line_end\": 162\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 162,\n \"line_end\": 162\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 163,\n \"line_end\": 163\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 164,\n \"line_end\": 164\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 165,\n \"line_end\": 165\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 423,\n \"line_end\": 423\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 423,\n \"line_end\": 423\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 423,\n \"line_end\": 423\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 424,\n \"line_end\": 424\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 425,\n \"line_end\": 425\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 427,\n \"line_end\": 427\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 430,\n \"line_end\": 430\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 432,\n \"line_end\": 432\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 437,\n \"line_end\": 437\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 437,\n \"line_end\": 437\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 444,\n \"line_end\": 444\n }\n ]\n },\n {\n \"factor\": \"scripts\",\n \"evidence\": [\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 138,\n \"line_end\": 138\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 137,\n \"line_end\": 137\n }\n ]\n }\n ],\n \"critical_findings\": [],\n \"high_findings\": [],\n \"medium_findings\": [],\n \"low_findings\": [],\n \"dangerous_patterns\": [],\n \"files_scanned\": 6,\n \"total_lines\": 2372,\n \"audit_model\": \"claude\",\n \"audited_at\": \"2026-01-16T15:09:54.291Z\"\n },\n \"content\": {\n \"user_title\": \"Analyze network traffic with TShark\",\n \"value_statement\": \"Network security professionals need to capture and analyze packet data for incident response and forensic investigations. TShark provides command-line packet analysis capabilities for traffic inspection, credential extraction, malware detection, and protocol analysis without requiring a GUI interface.\",\n \"seo_keywords\": [\n \"tshark\",\n \"network analysis\",\n \"packet capture\",\n \"wireshark cli\",\n \"network forensics\",\n \"traffic analysis\",\n \"security investigation\",\n \"claude\",\n \"codex\",\n \"claude-code\"\n ],\n \"actual_capabilities\": [\n \"Capture network packets on specified interfaces with capture filters\",\n \"Apply display filters to analyze captured traffic for security indicators\",\n \"Extract credentials from HTTP, FTP, NTLM, Kerberos, and email protocols\",\n \"Export files and objects from packet captures (HTTP, SMB, DICOM, IMF)\",\n \"Detect malware indicators including C2 beaconing, DNS tunneling, and port scanning\",\n \"Generate protocol hierarchy statistics and conversation summaries\"\n ],\n \"limitations\": [\n \"Requires tshark to be installed on the system (not bundled)\",\n \"Cannot capture packets without proper system permissions (sudo or wireshark group)\",\n \"Only provides documentation and guidance, no automated execution of tshark commands\",\n \"TLS traffic decryption requires access to SSL key logs or private keys\"\n ],\n \"use_cases\": [\n {\n \"target_user\": \"Security analysts\",\n \"title\": \"Incident response analysis\",\n \"description\": \"Capture and analyze network traffic during security incidents to identify attack patterns and extract indicators of compromise\"\n },\n {\n \"target_user\": \"Forensic investigators\",\n \"title\": \"Network forensics\",\n \"description\": \"Examine packet captures to reconstruct network conversations, extract transmitted files, and document evidence for investigations\"\n },\n {\n \"target_user\": \"SOC engineers\",\n \"title\": \"Malware traffic detection\",\n \"description\": \"Analyze captured traffic to identify C2 beaconing, data exfiltration, and suspicious network behavior from malware\"\n }\n ],\n \"prompt_templates\": [\n {\n \"title\": \"Capture network packets\",\n \"scenario\": \"Starting packet capture\",\n \"prompt\": \"Use tshark to capture 1000 packets on interface eth0 and save to incident_capture.pcap\"\n },\n {\n \"title\": \"Analyze HTTP traffic\",\n \"scenario\": \"Examining web traffic\",\n \"prompt\": \"Analyze capture.pcap for HTTP requests and show source IP, host, and request URI\"\n },\n {\n \"title\": \"Extract credentials\",\n \"scenario\": \"Finding authentication data\",\n \"prompt\": \"Extract HTTP Basic authentication credentials and FTP usernames/passwords from the packet capture\"\n },\n {\n \"title\": \"Detect C2 beaconing\",\n \"scenario\": \"Identifying malware patterns\",\n \"prompt\": \"Analyze malware_traffic.pcap for C2 beaconing patterns and suspicious DNS queries indicating domain generation algorithms\"\n }\n ],\n \"output_examples\": [\n {\n \"input\": \"Analyze capture.pcap for suspicious traffic\",\n \"output\": [\n \"Key findings:\",\n \"- 15 unique external IP contacts detected\",\n \"- HTTP POST requests with large data transfers (>1MB) to 3 IPs\",\n \"- DNS queries with abnormally long domain names (>50 chars) suggesting tunneling\",\n \"- 3 connections using suspicious User-Agents (python-requests, curl)\",\n \"Recommendation: Review the flagged IPs and DNS queries for potential data exfiltration\"\n ]\n },\n {\n \"input\": \"Extract credentials from incident capture\",\n \"output\": [\n \"HTTP Basic Auth found: 2 credentials decoded from Authorization headers\",\n \"FTP credentials: 3 username/password pairs extracted\",\n \"SMB authentication: NTLM hashes captured from 5 source IPs\",\n \"All credentials marked as sensitive - handle according to security policy\"\n ]\n },\n {\n \"input\": \"Generate protocol statistics from pcap\",\n \"output\": [\n \"Protocol hierarchy: HTTP (45%), TLS (30%), DNS (15%), TCP (8%), Other (2%)\",\n \"Top talkers: 192.168.1.100 (1200 packets), 10.0.0.55 (890 packets)\",\n \"Conversation breakdown: 45 unique IP conversations detected\",\n \"Expert info: 3 malformed packets, 12 TCP retransmissions flagged\"\n ]\n }\n ],\n \"best_practices\": [\n \"Obtain written authorization before capturing network traffic to ensure legal compliance\",\n \"Use capture filters (BPF) during capture to reduce file size and focus on relevant traffic\",\n \"Apply data minimization principles and securely delete capture files per retention policy\"\n ],\n \"anti_patterns\": [\n \"Capturing traffic on interfaces without verifying legal authorization\",\n \"Storing packet captures unencrypted on shared or public systems\",\n \"Sharing raw packet captures containing sensitive data without proper anonymization\"\n ],\n \"faq\": [\n {\n \"question\": \"What operating systems support tshark?\",\n \"answer\": \"TShark runs on Linux, Windows, macOS, and most Unix-like systems. Install via package manager (apt, yum, brew) or from wireshark.org.\"\n },\n {\n \"question\": \"What are the permission requirements for packet capture?\",\n \"answer\": \"Packet capture requires root privileges or membership in the wireshark group. Use sudo or configure setcap for permanent access.\"\n },\n {\n \"question\": \"Can this skill execute tshark commands?\",\n \"answer\": \"No. This skill provides documentation and guidance for using tshark. Users must have tshark installed and run commands themselves.\"\n },\n {\n \"question\": \"How are sensitive credentials in packet captures protected?\",\n \"answer\": \"Treat extracted credentials as highly sensitive. Use encrypted storage, restrict access, and follow data retention and deletion policies.\"\n },\n {\n \"question\": \"Why am I seeing no interfaces found?\",\n \"answer\": \"Verify tshark is installed (tshark --version). Use sudo tshark -D to list interfaces. Check interface status with ip link show.\"\n },\n {\n \"question\": \"How does this compare to Wireshark GUI?\",\n \"answer\": \"TShark provides the same parsing capabilities as Wireshark but via command line. Ideal for headless servers, automation, and remote analysis via SSH.\"\n }\n ]\n },\n \"file_structure\": [\n {\n \"name\": \"assets\",\n \"type\": \"dir\",\n \"path\": \"assets\",\n \"children\": [\n {\n \"name\": \"ci-config-template.yml\",\n \"type\": \"file\",\n \"path\": \"assets/ci-config-template.yml\",\n \"lines\": 358\n },\n {\n \"name\": \"rule-template.yaml\",\n \"type\": \"file\",\n \"path\": \"assets/rule-template.yaml\",\n \"lines\": 356\n }\n ]\n },\n {\n \"name\": \"references\",\n \"type\": \"dir\",\n \"path\": \"references\",\n \"children\": [\n {\n \"name\": \"EXAMPLE.md\",\n \"type\": \"file\",\n \"path\": \"references/EXAMPLE.md\",\n \"lines\": 551\n },\n {\n \"name\": \"WORKFLOW_CHECKLIST.md\",\n \"type\": \"file\",\n \"path\": \"references/WORKFLOW_CHECKLIST.md\",\n \"lines\": 254\n }\n ]\n },\n {\n \"name\": \"SKILL.md\",\n \"type\": \"file\",\n \"path\": \"SKILL.md\",\n \"lines\": 639\n }\n ]\n}\n","content_type":"application/json; charset=utf-8","language":"json","size":37522,"content_sha256":"0d95ec60defb0472a469e6056b3ee097acc36bb2a6d2b8d16ee60026d772a353"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"TShark Network Protocol Analyzer","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"TShark is the command-line network protocol analyzer from the Wireshark project. It provides powerful packet capture and analysis capabilities for security investigations, forensic analysis, and network troubleshooting. This skill covers authorized security operations including traffic analysis, credential extraction, malware detection, and forensic examination.","type":"text"}]},{"type":"paragraph","content":[{"text":"IMPORTANT","type":"text","marks":[{"type":"strong"}]},{"text":": Network packet capture may expose sensitive information and must only be conducted with proper authorization. Ensure legal compliance and privacy considerations before capturing network traffic.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Quick Start","type":"text"}]},{"type":"paragraph","content":[{"text":"Basic packet capture and analysis:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Capture packets on interface\nsudo tshark -i eth0\n\n# Capture 100 packets and save to file\nsudo tshark -i eth0 -c 100 -w capture.pcap\n\n# Read and analyze capture file\ntshark -r capture.pcap\n\n# Apply display filter\ntshark -r capture.pcap -Y \"http.request.method == GET\"\n\n# Extract HTTP objects\ntshark -r capture.pcap --export-objects http,extracted_files/","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Core Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Network Analysis Workflow","type":"text"}]},{"type":"paragraph","content":[{"text":"Progress: [ ] 1. Verify authorization for packet capture [ ] 2. Identify target interface and capture requirements [ ] 3. Capture network traffic with appropriate filters [ ] 4. Analyze captured packets for security indicators [ ] 5. Extract artifacts (files, credentials, sessions) [ ] 6. Document findings and security implications [ ] 7. Securely handle and store capture files [ ] 8. Clean up sensitive data per retention policy","type":"text"}]},{"type":"paragraph","content":[{"text":"Work through each step systematically. Check off completed items.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"1. Authorization Verification","type":"text"}]},{"type":"paragraph","content":[{"text":"CRITICAL","type":"text","marks":[{"type":"strong"}]},{"text":": Before any packet capture:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Confirm written authorization for network monitoring","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify legal compliance (wiretapping laws, privacy regulations)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Understand data handling and retention requirements","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document scope of capture (interfaces, duration, filters)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Ensure secure storage for captured data","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"2. Interface Discovery","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify available network interfaces:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# List all interfaces\ntshark -D\n\n# List with interface details\nsudo tshark -D\n\n# Capture on specific interface\nsudo tshark -i eth0\nsudo tshark -i wlan0\n\n# Capture on any interface\nsudo tshark -i any\n\n# Capture on multiple interfaces\nsudo tshark -i eth0 -i wlan0","type":"text"}]},{"type":"paragraph","content":[{"text":"Interface types","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"eth0/ens33","type":"text","marks":[{"type":"strong"}]},{"text":": Ethernet interface","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"wlan0","type":"text","marks":[{"type":"strong"}]},{"text":": Wireless interface","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"lo","type":"text","marks":[{"type":"strong"}]},{"text":": Loopback interface","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"any","type":"text","marks":[{"type":"strong"}]},{"text":": All interfaces (Linux only)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"mon0","type":"text","marks":[{"type":"strong"}]},{"text":": Monitor mode interface (wireless)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"3. Basic Packet Capture","type":"text"}]},{"type":"paragraph","content":[{"text":"Capture network traffic:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Capture indefinitely (Ctrl+C to stop)\nsudo tshark -i eth0\n\n# Capture specific number of packets\nsudo tshark -i eth0 -c 1000\n\n# Capture for specific duration (seconds)\nsudo tshark -i eth0 -a duration:60\n\n# Capture to file\nsudo tshark -i eth0 -w capture.pcap\n\n# Capture with ring buffer (rotate files)\nsudo tshark -i eth0 -w capture.pcap -b filesize:100000 -b files:5","type":"text"}]},{"type":"paragraph","content":[{"text":"Capture options","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"-c \u003ccount>","type":"text","marks":[{"type":"code_inline"}]},{"text":": Capture packet count","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"-a duration:\u003csec>","type":"text","marks":[{"type":"code_inline"}]},{"text":": Auto-stop after duration","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"-w \u003cfile>","type":"text","marks":[{"type":"code_inline"}]},{"text":": Write to file","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"-b filesize:\u003cKB>","type":"text","marks":[{"type":"code_inline"}]},{"text":": Rotate at file size","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"-b files:\u003cnum>","type":"text","marks":[{"type":"code_inline"}]},{"text":": Keep N ring buffer files","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"4. Capture Filters","type":"text"}]},{"type":"paragraph","content":[{"text":"Apply BPF (Berkeley Packet Filter) during capture for efficiency:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Capture only HTTP traffic\nsudo tshark -i eth0 -f \"tcp port 80\"\n\n# Capture specific host\nsudo tshark -i eth0 -f \"host 192.168.1.100\"\n\n# Capture subnet\nsudo tshark -i eth0 -f \"net 192.168.1.0/24\"\n\n# Capture multiple ports\nsudo tshark -i eth0 -f \"tcp port 80 or tcp port 443\"\n\n# Exclude specific traffic\nsudo tshark -i eth0 -f \"not port 22\"\n\n# Capture SYN packets only\nsudo tshark -i eth0 -f \"tcp[tcpflags] & tcp-syn != 0\"","type":"text"}]},{"type":"paragraph","content":[{"text":"Common capture filters","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"host \u003cip>","type":"text","marks":[{"type":"code_inline"}]},{"text":": Traffic to/from IP","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"net \u003ccidr>","type":"text","marks":[{"type":"code_inline"}]},{"text":": Traffic to/from network","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"port \u003cport>","type":"text","marks":[{"type":"code_inline"}]},{"text":": Specific port","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"tcp|udp|icmp","type":"text","marks":[{"type":"code_inline"}]},{"text":": Protocol type","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"src|dst","type":"text","marks":[{"type":"code_inline"}]},{"text":": Direction filter","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"and|or|not","type":"text","marks":[{"type":"code_inline"}]},{"text":": Logical operators","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"5. Display Filters","type":"text"}]},{"type":"paragraph","content":[{"text":"Analyze captured traffic with Wireshark display filters:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# HTTP requests only\ntshark -r capture.pcap -Y \"http.request\"\n\n# HTTP responses\ntshark -r capture.pcap -Y \"http.response\"\n\n# DNS queries\ntshark -r capture.pcap -Y \"dns.flags.response == 0\"\n\n# TLS handshakes\ntshark -r capture.pcap -Y \"tls.handshake.type == 1\"\n\n# Suspicious traffic patterns\ntshark -r capture.pcap -Y \"tcp.flags.syn==1 and tcp.flags.ack==0\"\n\n# Failed connections\ntshark -r capture.pcap -Y \"tcp.flags.reset==1\"","type":"text"}]},{"type":"paragraph","content":[{"text":"Advanced display filters","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# HTTP POST requests with credentials\ntshark -r capture.pcap -Y \"http.request.method == POST and (http contains \\\"password\\\" or http contains \\\"username\\\")\"\n\n# SMB file transfers\ntshark -r capture.pcap -Y \"smb2.cmd == 8 or smb2.cmd == 9\"\n\n# Suspicious User-Agents\ntshark -r capture.pcap -Y \"http.user_agent contains \\\"python\\\" or http.user_agent contains \\\"curl\\\"\"\n\n# Large data transfers\ntshark -r capture.pcap -Y \"tcp.len > 1400\"\n\n# Beaconing detection (periodic traffic)\ntshark -r capture.pcap -Y \"http\" -T fields -e frame.time_relative -e ip.dst","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"6. Protocol Analysis","type":"text"}]},{"type":"paragraph","content":[{"text":"Analyze specific protocols:","type":"text"}]},{"type":"paragraph","content":[{"text":"HTTP/HTTPS Analysis","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract HTTP requests\ntshark -r capture.pcap -Y \"http.request\" -T fields -e ip.src -e http.host -e http.request.uri\n\n# Extract HTTP User-Agents\ntshark -r capture.pcap -Y \"http.user_agent\" -T fields -e ip.src -e http.user_agent\n\n# HTTP status codes\ntshark -r capture.pcap -Y \"http.response\" -T fields -e ip.src -e http.response.code\n\n# Extract HTTP cookies\ntshark -r capture.pcap -Y \"http.cookie\" -T fields -e ip.src -e http.cookie","type":"text"}]},{"type":"paragraph","content":[{"text":"DNS Analysis","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# DNS queries\ntshark -r capture.pcap -Y \"dns.flags.response == 0\" -T fields -e ip.src -e dns.qry.name\n\n# DNS responses\ntshark -r capture.pcap -Y \"dns.flags.response == 1\" -T fields -e dns.qry.name -e dns.a\n\n# DNS tunneling detection (long domain names)\ntshark -r capture.pcap -Y \"dns\" -T fields -e dns.qry.name | awk 'length > 50'\n\n# DNS query types\ntshark -r capture.pcap -Y \"dns\" -T fields -e dns.qry.type -e dns.qry.name","type":"text"}]},{"type":"paragraph","content":[{"text":"TLS/SSL Analysis","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# TLS handshakes\ntshark -r capture.pcap -Y \"tls.handshake.type == 1\" -T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name\n\n# TLS certificates\ntshark -r capture.pcap -Y \"tls.handshake.certificate\" -T fields -e tls.handshake.certificate\n\n# SSL/TLS versions\ntshark -r capture.pcap -Y \"tls\" -T fields -e tls.record.version\n\n# Weak cipher suites\ntshark -r capture.pcap -Y \"tls.handshake.ciphersuite\" -T fields -e tls.handshake.ciphersuite","type":"text"}]},{"type":"paragraph","content":[{"text":"SMB/CIFS Analysis","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# SMB file access\ntshark -r capture.pcap -Y \"smb2\" -T fields -e ip.src -e smb2.filename\n\n# SMB authentication\ntshark -r capture.pcap -Y \"ntlmssp\" -T fields -e ip.src -e ntlmssp.auth.username\n\n# SMB commands\ntshark -r capture.pcap -Y \"smb2\" -T fields -e smb2.cmd","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"7. Credential Extraction","type":"text"}]},{"type":"paragraph","content":[{"text":"Extract credentials from network traffic (authorized forensics only):","type":"text"}]},{"type":"paragraph","content":[{"text":"HTTP Basic Authentication","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract HTTP Basic Auth credentials\ntshark -r capture.pcap -Y \"http.authbasic\" -T fields -e ip.src -e http.authbasic\n\n# Decode Base64 credentials\ntshark -r capture.pcap -Y \"http.authorization\" -T fields -e http.authorization | base64 -d","type":"text"}]},{"type":"paragraph","content":[{"text":"FTP Credentials","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract FTP usernames\ntshark -r capture.pcap -Y \"ftp.request.command == USER\" -T fields -e ip.src -e ftp.request.arg\n\n# Extract FTP passwords\ntshark -r capture.pcap -Y \"ftp.request.command == PASS\" -T fields -e ip.src -e ftp.request.arg","type":"text"}]},{"type":"paragraph","content":[{"text":"NTLM/Kerberos","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract NTLM hashes\ntshark -r capture.pcap -Y \"ntlmssp.auth.ntlmv2response\" -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.auth.ntlmv2response\n\n# Kerberos tickets\ntshark -r capture.pcap -Y \"kerberos.CNameString\" -T fields -e kerberos.CNameString -e kerberos.realm","type":"text"}]},{"type":"paragraph","content":[{"text":"Email Credentials","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# SMTP authentication\ntshark -r capture.pcap -Y \"smtp.req.command == AUTH\" -T fields -e ip.src\n\n# POP3 credentials\ntshark -r capture.pcap -Y \"pop.request.command == USER or pop.request.command == PASS\" -T fields -e pop.request.parameter\n\n# IMAP credentials\ntshark -r capture.pcap -Y \"imap.request contains \\\"LOGIN\\\"\" -T fields -e imap.request","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"8. File Extraction","type":"text"}]},{"type":"paragraph","content":[{"text":"Extract files from packet captures:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Export HTTP objects\ntshark -r capture.pcap --export-objects http,extracted_http/\n\n# Export SMB objects\ntshark -r capture.pcap --export-objects smb,extracted_smb/\n\n# Export DICOM objects\ntshark -r capture.pcap --export-objects dicom,extracted_dicom/\n\n# Export IMF (email) objects\ntshark -r capture.pcap --export-objects imf,extracted_email/","type":"text"}]},{"type":"paragraph","content":[{"text":"Manual file reconstruction","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract file data from HTTP response\ntshark -r capture.pcap -Y \"http.response and http.content_type contains \\\"application/pdf\\\"\" -T fields -e data.data | xxd -r -p > extracted_file.pdf\n\n# Reassemble TCP stream\ntshark -r capture.pcap -q -z follow,tcp,ascii,\u003cstream-number>","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"9. Malware Detection","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify malicious network activity:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Detect common C2 beaconing patterns\ntshark -r capture.pcap -Y \"http\" -T fields -e frame.time_relative -e ip.dst -e http.host | sort | uniq -c | sort -rn\n\n# Suspicious DNS queries (DGA domains)\ntshark -r capture.pcap -Y \"dns.qry.name\" -T fields -e dns.qry.name | awk -F'.' '{print $(NF-1)\".\"$NF}' | sort | uniq -c | sort -rn\n\n# Detect port scanning\ntshark -r capture.pcap -Y \"tcp.flags.syn==1 and tcp.flags.ack==0\" -T fields -e ip.src -e ip.dst -e tcp.dstport | sort | uniq -c | sort -rn\n\n# Detect data exfiltration (large uploads)\ntshark -r capture.pcap -Y \"http.request.method == POST\" -T fields -e ip.src -e http.content_length | awk '$2 > 1000000'\n\n# Suspicious executable downloads\ntshark -r capture.pcap -Y \"http.response and (http.content_type contains \\\"application/exe\\\" or http.content_type contains \\\"application/x-dosexec\\\")\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"10. Statistics and Reporting","type":"text"}]},{"type":"paragraph","content":[{"text":"Generate traffic statistics:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Protocol hierarchy\ntshark -r capture.pcap -q -z io,phs\n\n# Conversation statistics\ntshark -r capture.pcap -q -z conv,tcp\ntshark -r capture.pcap -q -z conv,udp\ntshark -r capture.pcap -q -z conv,ip\n\n# HTTP statistics\ntshark -r capture.pcap -q -z http,tree\n\n# DNS statistics\ntshark -r capture.pcap -q -z dns,tree\n\n# Endpoints\ntshark -r capture.pcap -q -z endpoints,tcp\ntshark -r capture.pcap -q -z endpoints,udp\n\n# Expert info (warnings/errors)\ntshark -r capture.pcap -q -z expert","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Security Considerations","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Authorization & Legal Compliance","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Written Authorization","type":"text","marks":[{"type":"strong"}]},{"text":": Obtain explicit permission for network monitoring","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Privacy Laws","type":"text","marks":[{"type":"strong"}]},{"text":": Comply with wiretapping and privacy regulations (GDPR, CCPA, ECPA)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Data Minimization","type":"text","marks":[{"type":"strong"}]},{"text":": Capture only necessary traffic for investigation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Credential Handling","type":"text","marks":[{"type":"strong"}]},{"text":": Treat extracted credentials as highly sensitive","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Retention Policy","type":"text","marks":[{"type":"strong"}]},{"text":": Follow data retention and secure deletion requirements","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Operational Security","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Encrypted Storage","type":"text","marks":[{"type":"strong"}]},{"text":": Encrypt capture files at rest","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Access Control","type":"text","marks":[{"type":"strong"}]},{"text":": Restrict access to packet captures","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Secure Transfer","type":"text","marks":[{"type":"strong"}]},{"text":": Use encrypted channels for capture file transfer","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Anonymization","type":"text","marks":[{"type":"strong"}]},{"text":": Remove or redact PII when sharing captures","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Chain of Custody","type":"text","marks":[{"type":"strong"}]},{"text":": Maintain forensic integrity for legal proceedings","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Audit Logging","type":"text"}]},{"type":"paragraph","content":[{"text":"Document all packet capture activities:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Capture start and end timestamps","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Interface(s) captured","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Capture filters applied","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"File names and storage locations","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Personnel who accessed captures","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Purpose of capture and investigation findings","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Secure deletion timestamps","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Compliance","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"MITRE ATT&CK","type":"text","marks":[{"type":"strong"}]},{"text":": T1040 (Network Sniffing)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"NIST CSF","type":"text","marks":[{"type":"strong"}]},{"text":": DE.AE (Detection Processes - Anomalies and Events)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"PCI-DSS","type":"text","marks":[{"type":"strong"}]},{"text":": Network security monitoring requirements","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ISO 27001","type":"text","marks":[{"type":"strong"}]},{"text":": A.12.4 Logging and monitoring","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GDPR","type":"text","marks":[{"type":"strong"}]},{"text":": Data protection and privacy requirements","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 1: Incident Response Investigation","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Capture traffic during incident\nsudo tshark -i eth0 -w incident_$(date +%Y%m%d_%H%M%S).pcap -a duration:300\n\n# Analyze for lateral movement\ntshark -r incident.pcap -Y \"smb2 or rdp or ssh\" -T fields -e ip.src -e ip.dst\n\n# Identify C2 communication\ntshark -r incident.pcap -Y \"http or dns\" -T fields -e ip.dst -e http.host -e dns.qry.name\n\n# Extract IOCs\ntshark -r incident.pcap -Y \"ip.dst\" -T fields -e ip.dst | sort -u > ioc_ips.txt\ntshark -r incident.pcap -Y \"dns.qry.name\" -T fields -e dns.qry.name | sort -u > ioc_domains.txt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 2: Malware Traffic Analysis","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Capture malware sandbox traffic\nsudo tshark -i eth0 -w malware_traffic.pcap\n\n# Extract C2 indicators\ntshark -r malware_traffic.pcap -Y \"http.host\" -T fields -e ip.src -e http.host -e http.user_agent\n\n# Identify DNS tunneling\ntshark -r malware_traffic.pcap -Y \"dns\" -T fields -e dns.qry.name | awk 'length > 50'\n\n# Extract downloaded payloads\ntshark -r malware_traffic.pcap --export-objects http,malware_artifacts/\n\n# Analyze encryption/encoding\ntshark -r malware_traffic.pcap -Y \"http.request.method == POST\" -T fields -e data.data","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 3: Credential Harvesting Detection","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Monitor for credential transmission\nsudo tshark -i eth0 -Y \"(http.authorization or ftp or pop or imap) and not tls\" -T fields -e ip.src -e ip.dst\n\n# Extract all HTTP POST data\ntshark -r capture.pcap -Y \"http.request.method == POST\" -T fields -e http.file_data > post_data.txt\n\n# Search for password keywords\ntshark -r capture.pcap -Y \"http contains \\\"password\\\" or http contains \\\"passwd\\\"\" -T fields -e ip.src -e http.request.uri\n\n# NTLM hash extraction\ntshark -r capture.pcap -Y \"ntlmssp.auth.ntlmv2response\" -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.auth.ntlmv2response > ntlm_hashes.txt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 4: Network Forensics","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Reconstruct HTTP conversation\ntshark -r capture.pcap -q -z follow,http,ascii,0\n\n# Timeline analysis\ntshark -r capture.pcap -T fields -e frame.time -e ip.src -e ip.dst -e tcp.dstport\n\n# Identify file transfers\ntshark -r capture.pcap -Y \"http.content_type contains \\\"application/\\\" or ftp-data\" -T fields -e frame.number -e http.content_type\n\n# Geolocation of connections (requires GeoIP)\ntshark -r capture.pcap -T fields -e ip.src -e ip.dst -e ip.geoip.src_country -e ip.geoip.dst_country","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 5: Wireless Security Assessment","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Capture wireless traffic (monitor mode required)\nsudo tshark -i mon0 -w wireless_capture.pcap\n\n# Identify wireless networks\ntshark -r wireless_capture.pcap -Y \"wlan.fc.type_subtype == 0x08\" -T fields -e wlan.ssid -e wlan.bssid\n\n# Detect deauth attacks\ntshark -r wireless_capture.pcap -Y \"wlan.fc.type_subtype == 0x0c\"\n\n# WPA handshake capture\ntshark -r wireless_capture.pcap -Y \"eapol\"\n\n# Client probing activity\ntshark -r wireless_capture.pcap -Y \"wlan.fc.type_subtype == 0x04\" -T fields -e wlan.sa -e wlan.ssid","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Integration Points","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SIEM Integration","type":"text"}]},{"type":"paragraph","content":[{"text":"Export packet analysis to SIEM platforms:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Export to JSON for Splunk/ELK\ntshark -r capture.pcap -T ek > packets.json\n\n# Export specific fields in JSON\ntshark -r capture.pcap -Y \"http\" -T json -e ip.src -e ip.dst -e http.host -e http.request.uri\n\n# CSV export for analysis\ntshark -r capture.pcap -T fields -E separator=, -e frame.time -e ip.src -e ip.dst -e tcp.dstport > packets.csv","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Scripting and Automation","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"#!/bin/bash\n# continuous_monitor.sh - Continuous network monitoring\n\nINTERFACE=\"eth0\"\nALERT_FILTER=\"http contains \\\"cmd.exe\\\" or dns.qry.name contains \\\".tk\\\" or dns.qry.name contains \\\".xyz\\\"\"\n\nsudo tshark -i $INTERFACE -Y \"$ALERT_FILTER\" -T fields -e frame.time -e ip.src -e ip.dst -e http.host -e dns.qry.name | \\\nwhile read line; do\n echo \"[ALERT] $(date): $line\" | tee -a security_alerts.log\n # Trigger incident response workflow\n echo \"$line\" | mail -s \"Security Alert\" [email protected]\ndone","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: \"Permission denied\" when capturing","type":"text"}]},{"type":"paragraph","content":[{"text":"Solutions","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Run with sudo\nsudo tshark -i eth0\n\n# Or add user to wireshark group (Linux)\nsudo usermod -a -G wireshark $USER\nsudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark\n\n# Logout and login for group changes to take effect","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: \"No interfaces found\"","type":"text"}]},{"type":"paragraph","content":[{"text":"Solutions","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Verify tshark installation\ntshark --version\n\n# List interfaces with sudo\nsudo tshark -D\n\n# Check interface status\nip link show\nifconfig -a","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: Capture file is huge","type":"text"}]},{"type":"paragraph","content":[{"text":"Solutions","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Use capture filters to reduce size\nsudo tshark -i eth0 -f \"not port 22\" -w capture.pcap\n\n# Use ring buffer\nsudo tshark -i eth0 -w capture.pcap -b filesize:100000 -b files:5\n\n# Limit packet size (snaplen)\nsudo tshark -i eth0 -s 128 -w capture.pcap","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: Cannot decrypt TLS traffic","type":"text"}]},{"type":"paragraph","content":[{"text":"Solutions","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Provide SSL key log file (requires SSLKEYLOGFILE environment variable)\ntshark -r capture.pcap -o tls.keylog_file:sslkeys.log -Y \"http\"\n\n# Use pre-master secret\ntshark -r capture.pcap -o tls.keys_list:192.168.1.100,443,http,/path/to/server.key","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Defensive Considerations","type":"text"}]},{"type":"paragraph","content":[{"text":"Organizations should protect against unauthorized packet capture:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network Segmentation","type":"text","marks":[{"type":"strong"}]},{"text":": Reduce exposure to packet sniffing","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Encryption","type":"text","marks":[{"type":"strong"}]},{"text":": Use TLS/SSL to protect sensitive data in transit","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Switch Security","type":"text","marks":[{"type":"strong"}]},{"text":": Enable port security and DHCP snooping","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Wireless Security","type":"text","marks":[{"type":"strong"}]},{"text":": Use WPA3, disable broadcast SSID","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Intrusion Detection","type":"text","marks":[{"type":"strong"}]},{"text":": Monitor for promiscuous mode interfaces","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Physical Security","type":"text","marks":[{"type":"strong"}]},{"text":": Protect network infrastructure from tap devices","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Detect packet capture activity:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Monitor for promiscuous mode network interfaces","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detect ARP spoofing and MAC flooding attacks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Audit administrative access to network devices","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Monitor for unusual outbound data transfers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deploy network access control (802.1X)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TShark Man Page","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.wireshark.org/docs/man-pages/tshark.html","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Wireshark Display Filters","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.wireshark.org/DisplayFilters","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"MITRE ATT&CK: Network Sniffing","type":"text","marks":[{"type":"link","attrs":{"href":"https://attack.mitre.org/techniques/T1040/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"NIST SP 800-92: Guide to Computer Security Log Management","type":"text","marks":[{"type":"link","attrs":{"href":"https://csrc.nist.gov/publications/detail/sp/800-92/final","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Practical Packet Analysis Book","type":"text","marks":[{"type":"link","attrs":{"href":"https://nostarch.com/packetanalysis3","title":null}}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"analysis-tshark","tags":["packet-capture","network-analysis","forensics","tshark","wireshark","traffic-analysis"],"author":"@skillopedia","source":{"stars":336,"repo_name":"marketplace","origin_url":"https://github.com/aiskillstore/marketplace/blob/HEAD/skills/agentsecops/analysis-tshark/SKILL.md","repo_owner":"aiskillstore","body_sha256":"92241e1e698d102e60cb55ee5cf0846edf800119de8d042c3a374f9b5fe41ea3","cluster_key":"88c7d3a713cb4d7b49e57eef1a0e9c326bf8b2b77779e285d5f69838d1f033b3","clean_bundle":{"format":"clean-skill-bundle-v1","source":"aiskillstore/marketplace/skills/agentsecops/analysis-tshark/SKILL.md","attachments":[{"id":"5bb78b12-9611-5fa0-aae3-55473b699ce2","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/5bb78b12-9611-5fa0-aae3-55473b699ce2/attachment.yml","path":"assets/ci-config-template.yml","size":11105,"sha256":"0fc554799a0e03a44883990f208f2a428f3c1e70eed1a9bcfbc01e728962b91e","contentType":"application/yaml; charset=utf-8"},{"id":"11682251-6a03-5738-a048-505014d87b89","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/11682251-6a03-5738-a048-505014d87b89/attachment.yaml","path":"assets/rule-template.yaml","size":11044,"sha256":"cb228a390bcd3745cafb1783c6337d9106ae179e853935ae19c90caac10a0497","contentType":"application/yaml; charset=utf-8"},{"id":"a04da262-a1d0-536c-8774-1390f9239cfb","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/a04da262-a1d0-536c-8774-1390f9239cfb/attachment.md","path":"references/EXAMPLE.md","size":15672,"sha256":"d830809dec44c82770c5ef0fe12831754f113931dc739891a1ec8186aefc629f","contentType":"text/markdown; charset=utf-8"},{"id":"6df4095b-2a1e-5710-a788-1ec76426a41a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/6df4095b-2a1e-5710-a788-1ec76426a41a/attachment.md","path":"references/WORKFLOW_CHECKLIST.md","size":8390,"sha256":"f667c8d5c6e5c50b491643d644082ff202a6bb94476e0e7b648c6d0e5c8a080f","contentType":"text/markdown; charset=utf-8"},{"id":"5f7f1c1f-f881-59dc-9fd0-4781916bdfc3","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/5f7f1c1f-f881-59dc-9fd0-4781916bdfc3/attachment.json","path":"skill-report.json","size":37522,"sha256":"0d95ec60defb0472a469e6056b3ee097acc36bb2a6d2b8d16ee60026d772a353","contentType":"application/json; charset=utf-8"}],"bundle_sha256":"bd48af444d032cdc792bceda9636abbeed3d47af302cee1ab36fecc8956ecaaf","attachment_count":5,"text_attachments":5,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/agentsecops/analysis-tshark/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","frameworks":["MITRE-ATT&CK","NIST"],"import_tag":"clean-skills-v1","maintainer":"[email protected]","references":["https://www.wireshark.org/docs/man-pages/tshark.html","https://wiki.wireshark.org/DisplayFilters","https://attack.mitre.org/techniques/T1040/"],"description":"Network protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.\n","dependencies":{"tools":["tcpdump","python3"],"packages":["tshark","wireshark"]}}},"renderedAt":1782980456847}

TShark Network Protocol Analyzer Overview TShark is the command-line network protocol analyzer from the Wireshark project. It provides powerful packet capture and analysis capabilities for security investigations, forensic analysis, and network troubleshooting. This skill covers authorized security operations including traffic analysis, credential extraction, malware detection, and forensic examination. IMPORTANT : Network packet capture may expose sensitive information and must only be conducted with proper authorization. Ensure legal compliance and privacy considerations before capturing ne…