Files
Anthropic-Cybersecurity-Skills/skills/analyzing-network-traffic-of-malware/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.9 KiB

API Reference: Malware Network Traffic Analysis

dpkt - Python Packet Parsing

PCAP Reading

import dpkt
with open("malware.pcap", "rb") as f:
    pcap = dpkt.pcap.Reader(f)
    for ts, buf in pcap:
        eth = dpkt.ethernet.Ethernet(buf)
        ip = eth.data
        tcp = ip.data

HTTP Parsing

http_req = dpkt.http.Request(tcp.data)
http_req.method       # GET, POST
http_req.uri          # Request URI
http_req.headers      # Header dict
http_req.body         # POST body

http_resp = dpkt.http.Response(tcp.data)
http_resp.status      # Status code
http_resp.body        # Response body

IP Address Conversion

dpkt.utils.inet_to_str(ip.src)    # bytes -> "1.2.3.4"
dpkt.utils.inet_aton("1.2.3.4")   # "1.2.3.4" -> bytes

Wireshark Display Filters for Malware

C2 Detection

http.request.method == "POST" && http.content_length > 0
tls.handshake.type == 1                   # TLS Client Hello
tcp.flags.syn == 1 && tcp.flags.ack == 0  # New connections
dns.qry.type == 16                        # TXT records

Payload Analysis

tcp.payload contains "MZ"                 # PE downloads
http.response.code == 200 && http.content_type contains "octet"
frame.len > 1400                          # Large packets

tshark - Field Extraction

HTTP Requests

tshark -r malware.pcap -Y "http.request" -T fields \
  -e http.request.method -e http.host -e http.request.uri \
  -e http.user_agent -e http.content_length

TLS/JA3 Fingerprinting

tshark -r malware.pcap -Y "tls.handshake.type==1" -T fields \
  -e ip.src -e ip.dst -e tls.handshake.ja3

DNS Queries

tshark -r malware.pcap -Y "dns.qr==0" -T fields \
  -e ip.src -e dns.qry.name -e dns.qry.type

Stream Follow

tshark -r malware.pcap -z follow,tcp,ascii,0
tshark -r malware.pcap -z follow,http,ascii,0

Suricata Rule Syntax

HTTP Rules

alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"MALWARE C2 Beacon";
  flow:established,to_server;
  http.method; content:"POST";
  http.uri; content:"/gate.php";
  sid:9000001; rev:1;
)

DNS Rules

alert dns $HOME_NET any -> any any (
  msg:"MALWARE DNS Tunneling";
  dns.query; pcre:"/^[a-z0-9]{20,}\./";
  threshold:type threshold, track by_src, count 10, seconds 60;
  sid:9000002; rev:1;
)

TLS Rules

alert tls $HOME_NET any -> $EXTERNAL_NET any (
  msg:"MALWARE JA3 Match";
  ja3.hash; content:"a0e9f5d64349fb13191bc781f81f42e1";
  sid:9000003; rev:1;
)

RITA - Beacon Analysis

Syntax

rita import zeek_logs dataset_name
rita analyze dataset_name
rita show-beacons dataset_name
rita show-long-connections dataset_name
rita show-dns-fqdn-lengths dataset_name

NetworkMiner

CLI Syntax

NetworkMiner --inputfile malware.pcap --outputdir /tmp/extracted

Extracts files, sessions, credentials, DNS from PCAP