creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 15:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-network-traffic-analysis-with-tshark/references/api-reference.md
T

2.1 KiB
Raw Blame History

Network Traffic Analysis with TShark API Reference

TShark CLI Commands

# Protocol hierarchy statistics
tshark -r capture.pcap -q -z io,phs

# IP conversations
tshark -r capture.pcap -q -z conv,ip

# TCP conversations
tshark -r capture.pcap -q -z conv,tcp

# Extract specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.dstport

# DNS query extraction
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name -e dns.qry.type

# HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri

# SYN-only packets (port scan detection)
tshark -r capture.pcap -Y "tcp.flags.syn==1 && tcp.flags.ack==0" \
  -T fields -e ip.src -e ip.dst -e tcp.dstport

# Follow TCP stream
tshark -r capture.pcap -z follow,tcp,ascii,0

# Export objects (HTTP files)
tshark -r capture.pcap --export-objects http,/tmp/exported/

# Read live capture
tshark -i eth0 -c 1000 -w output.pcap

PyShark Python API

import pyshark

# Read PCAP file
cap = pyshark.FileCapture("capture.pcap")
for pkt in cap:
    print(pkt.ip.src, pkt.ip.dst)

# Live capture with display filter
cap = pyshark.LiveCapture(interface="eth0", display_filter="http")
cap.sniff(timeout=30)

# Access packet layers
for pkt in cap:
    if hasattr(pkt, "dns"):
        print(pkt.dns.qry_name)
    if hasattr(pkt, "http"):
        print(pkt.http.host, pkt.http.request_uri)

# BPF capture filter
cap = pyshark.LiveCapture(interface="eth0", bpf_filter="port 53")

Common Display Filters

Filter Purpose
dns.qry.name DNS queries
http.request HTTP requests
tcp.flags.syn==1 && tcp.flags.ack==0 SYN scans
tls.handshake.type==1 TLS Client Hello
ip.addr==10.0.0.1 Traffic to/from IP
tcp.analysis.retransmission Retransmissions
frame.len > 1400 Large frames

Output Formats

# JSON output
tshark -r capture.pcap -T json > output.json

# CSV-style fields
tshark -r capture.pcap -T fields -E separator=, -e ip.src -e ip.dst

# PDML (XML)
tshark -r capture.pcap -T pdml > output.xml
Reference in New Issue View Git Blame Copy Permalink