PCAP Triage Guide

David Hoenisch

Introduction This guide outlines a systematic approach to analyzing packet

Initial Triage Questions

  • [ ] What is the time range of the capture?
  • [ ] What prompted this PCAP analysis (alert, incident, routine monitoring)?
  • [ ] Do we have any initial indicators or IOCs to search for?
  • [ ] What is the scope of systems/networks captured?
  • [ ] Are there any known compromised hosts or suspicious IPs?

Phase 1: Quick Statistics

  • [ ] Total packet count and capture duration
  • [ ] Top talkers (source/destination IPs)
  • [ ] Protocol distribution
  • [ ] Port distribution
  • [ ] Geographic distribution of external IPs
  • [ ] Unusual or unexpected protocols
  • [ ] Traffic spikes or anomalies

Phase 2: Connection Analysis

  • [ ] Map internal to external communications
  • [ ] Identify long-duration connections
  • [ ] Look for:
    • [ ] Beaconing patterns
    • [ ] Irregular timing patterns
    • [ ] Abnormal data transfer volumes
    • [ ] Suspicious port usage
    • [ ] Connection attempts to multiple hosts
    • [ ] Failed connection attempts

Phase 3: Protocol Deep Dive

DNS Analysis

  • [ ] Check for:
    • [ ] Domain generation algorithms (DGA): look for domain names with high entropy
    • [ ] DNS tunneling indicators
    • [ ] Suspicious TLDs
    • [ ] High-volume requestors
    • [ ] DNS queries with no responses
    • [ ] Unusual record types
    • [ ] Domain reputation checks

HTTP/HTTPS Analysis

  • [ ] Examine:
    • [ ] User-Agent strings
    • [ ] Request/response patterns
    • [ ] File downloads
    • [ ] POST request content
    • [ ] Certificate information
    • [ ] Unusual headers
    • [ ] Command and control patterns

SMB/CIFS Analysis

  • [ ] Look for:
    • [ ] Unauthorized file access
    • [ ] Suspicious file transfers
    • [ ] Brute force attempts
    • [ ] Known exploits
    • [ ] Administrative share access

Phase 4: Payload Analysis

  • [ ] Extract files from streams
  • [ ] Look for:
    • [ ] Known malware signatures
    • [ ] Command strings
    • [ ] Encoded/encrypted data
    • [ ] Script content
    • [ ] Password or credential exposure
    • [ ] Data exfiltration patterns

Phase 5: Malware Behavior Indicators

  • [ ] Command and control:
    • [ ] Regular beaconing
    • [ ] Encoded commands
    • [ ] Known C2 protocols
  • [ ] Lateral movement:
    • [ ] Port scanning
    • [ ] Exploitation attempts
    • [ ] Credential abuse
  • [ ] Data exfiltration:
    • [ ] Large outbound transfers
    • [ ] Unusual protocols
    • [ ] Encrypted tunnels

Common Tools and Commands

Wireshark Filters

# Basic filters
ip.addr == x.x.x.x
dns.qry.name contains "domain"
http.request.method == "POST"
tcp.flags.syn == 1 && tcp.flags.ack == 0

# Security-focused filters
http.user_agent contains "suspicious-string"
tls.handshake.type == 1
smb.cmd == 0x72

TShark Commands

# Top talkers
tshark -r capture.pcap -q -z endpoints,ip

# Protocol hierarchy
tshark -r capture.pcap -q -z io,phs

# Extract HTTP objects
tshark -r capture.pcap --export-objects http,./output/

Zui Filters

# Get available _paths
cut _path | sort | uniq | fuse

# Get all dns queries
_path == "dns" | cut query

# Count times a domain was queried
_path == "dns" | count() by domain:=join(split(query, ".")[-2:],".") | sort -r

# Search for files that were transfered over the network
filename!=nul | cut _path, id.orig_h, id.resp_h, mime_type, filename, md5, sha1

# Get all even on a TCP connection
uid == "<id>" | fuse

# Filters and displays smb_files, smb_mapping and DCE_RPC activity
grep(smb*,_path) OR _path=="dce_rpc"

# Displays a list of the count of unique HTTP requests including source and destination
_path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c

# Displays a table showing all unique source:port:destination connections pairings
_path=="conn" | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq

# Shows the connections between hosts, sorted by data received
_path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes

# Displays a curated view of file data including md5 and sha1 for complete file transfers
filename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1

# Displays all HTTP Post requests including the URI and HTTP status code
method=="POST" | cut ts, uid, id, method, uri, status_code

# Enumerates the classful networks for all destination IP addresses including count of connections
_path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r

# Shows all Suricata alert counts, grouped by category and severity
event_type=="alert" | count() by alert.severity,alert.category | sort count

# Shows all Suricata alert counts, grouped by signature
event_type=="alert" | count() by alert.signature | sort count

# Shows a list of Suricata alert categories, grouped by unique source and destination IP addresses
event_type=="alert" | alerts := union(alert.category) by src_ip, dest_ip

# Shows a list of Suricata alert signatures, grouped by unique source and destination IP addresses
event_type=="alert" | alerts := union(alert.signature) by src_ip, dest_ip

# Shows a list of Suricata alert categories, grouped by CIDR network
event_type=="alert" | alerts := union(alert.category) by network_of(dest_ip)

# Shows a list of Suricata alert signatures, grouped by CIDR network
event_type=="alert" | alerts := union(alert.signature) by network_of(dest_ip)

Chx

Homepage

# view help menu and all available
# commands
chx --help

Domain Lookup

chx domain alientvault example.com

File Hashing

chx hash vthash <hash>

IP Lookup

chx ip crowdsec 8.8.8.8

Pretty Print Results

--format option that will format the results of a search into markdown format.

Input & Output Chx strive to be POSIX "compliant" in that is works with

# Example chained workflow
cat dns_queries.json | jq -r `.[].sha1` | parallel chx hash vthash | jq -r ".data.attributes.last_analysis_results.ALYac.result"

Analysis Documentation

  • [ ] Timeline of significant events
  • [ ] List of suspicious indicators
  • [ ] Evidence of compromise
  • [ ] Affected systems and scope
  • [ ] Recommendations for response
  • [ ] Supporting packet/stream excerpts

Red Flags Checklist

  • [ ] Unexpected external connections
  • [ ] Unusual protocol behavior
  • [ ] Known malicious indicators
  • [ ] Data packaging/encoding
  • [ ] Irregular timing patterns
  • [ ] Suspicious file transfers
  • [ ] Command execution attempts
  • [ ] Credential exposure
  • [ ] Known exploit patterns
  • [ ] Evasion techniques

Questions to Answer During Analysis

  1. What is the initial infection vector?
  2. Which systems were compromised?
  3. What actions did the attacker take?
  4. Was data exfiltrated?
  5. Are there persistent access mechanisms?
  6. What is the full scope of the incident?
  7. Are there additional compromised systems?
  8. What remediation steps are needed?

Final Report Components

  • Executive Summary
  • Technical Timeline
  • Indicators of Compromise
  • Affected Systems
  • Attack Methodology
  • Data Impact Assessment
  • Evidence Preservation Notes
  • Remediation Recommendations
  • Prevention Suggestions