name: pcap-analyzer description: Analyze PCAP/PCAPNG files with tshark and produce a structured network-forensics summary (talkers, ports, DNS, TLS, HTTP, anomalies). homepage: https://www.wireshark.org/docs/man-pages/tshark.html metadata: { "openclaw": { "emoji": "🦈", "requires": { "bins": ["tshark", "awk", "sed"], "files": ["/home/tom/openclaw-tools/pcap_summary.sh"] }, "notes": [ "This skill runs local analysis only. It does not exfiltrate the PCAP.", "Prefer read-only access; do not modify user files." ] } }
PCAP Analyzer (tshark)
This skill turns packet captures into a practical report a human can act on. It is designed for lab work, incident triage, and CPENT-style exercises.
What it produces
A structured report with:
- Capture metadata: file type, size, first/last timestamp (if available)
- Top talkers: endpoints by packets/bytes (IPv4/IPv6 when present)
- Conversations: top TCP/UDP conversations
- Service/port view: top TCP/UDP destination ports
- DNS: most common queried names + suspicious patterns (DGA-ish, long labels)
- TLS: SNI / Server Name and common JA3-like fingerprints when present (best-effort)
- HTTP: host headers / URLs when present (best-effort, only if decrypted/plain)
- Anomalies (best-effort heuristics):
- SYN-only scans / high SYN rate
- excessive RSTs
- retransmission bursts
- rare destination ports
- single host contacting many unique hosts (beaconing-like)
Inputs
You must provide:
pcap_path: Full path to a.pcapor.pcapngfile on this machine.
Optional:
focus_host: IP to focus on (filters summaries around that host)time_window: A display filter time window if user specifies (best-effort guidance only)
How to run (terminal)
{baseDir}/scripts/analyze.sh "/full/path/to/capture.pcapng"