name: pcap-analyzer description: Analyze PCAP/PCAPNG files with tshark and produce a structured network-forensics summary (talkers, ports, DNS, TLS, HTTP, anomalies). homepage: https://www.wireshark.org/docs/man-pages/tshark.html metadata: { "openclaw": { "emoji": "🦈", "requires": { "bins": ["tshark", "awk", "sed"], "files": ["/home/tom/openclaw-tools/pcap_summary.sh"] }, "notes": [ "This skill runs local analysis only. It does not exfiltrate the PCAP.", "Prefer read-only access; do not modify user files." ] } }

PCAP Analyzer (tshark)

This skill turns packet captures into a practical report a human can act on. It is designed for lab work, incident triage, and CPENT-style exercises.

What it produces

A structured report with:

• Capture metadata: file type, size, first/last timestamp (if available)
• Top talkers: endpoints by packets/bytes (IPv4/IPv6 when present)
• Conversations: top TCP/UDP conversations
• Service/port view: top TCP/UDP destination ports
• DNS: most common queried names + suspicious patterns (DGA-ish, long labels)
• TLS: SNI / Server Name and common JA3-like fingerprints when present (best-effort)
• HTTP: host headers / URLs when present (best-effort, only if decrypted/plain)
• Anomalies (best-effort heuristics):
  • SYN-only scans / high SYN rate
  • excessive RSTs
  • retransmission bursts
  • rare destination ports
  • single host contacting many unique hosts (beaconing-like)

Inputs

You must provide:

• pcap_path: Full path to a .pcap or .pcapng file on this machine.

Optional:

• focus_host: IP to focus on (filters summaries around that host)
• time_window: A display filter time window if user specifies (best-effort guidance only)

How to run (terminal)

{baseDir}/scripts/analyze.sh "/full/path/to/capture.pcapng"