name: pcap-analyzer

description: Analyze PCAP/PCAPNG files with tshark and produce a structured network-forensics summary (talkers, ports, DNS, TLS, HTTP, anomalies).

homepage: https://www.wireshark.org/docs/man-pages/tshark.html

metadata:

{

"openclaw":

{

"emoji": "🦈",

"requires":

{

"bins": ["tshark", "awk", "sed"],

"files": ["/home/tom/openclaw-tools/pcap_summary.sh"]

},

"notes":

[

"This skill runs local analysis only. It does not exfiltrate the PCAP.",

"Prefer read-only access; do not modify user files."

]

}

}

PCAP Analyzer (tshark)

This skill turns packet captures into a practical report a human can act on. It is designed for lab work, incident triage, and CPENT-style exercises.

What it produces

A structured report with:

• Capture metadata: file type, size, first/last timestamp (if available)
• Top talkers: endpoints by packets/bytes (IPv4/IPv6 when present)
• Conversations: top TCP/UDP conversations
• Service/port view: top TCP/UDP destination ports
• DNS: most common queried names + suspicious patterns (DGA-ish, long labels)
• TLS: SNI / Server Name and common JA3-like fingerprints when present (best-effort)
• HTTP: host headers / URLs when present (best-effort, only if decrypted/plain)
• Anomalies (best-effort heuristics):
• SYN-only scans / high SYN rate
• excessive RSTs
• retransmission bursts
• rare destination ports
• single host contacting many unique hosts (beaconing-like)

Inputs

You must provide:

• pcap_path: Full path to a .pcap or .pcapng file on this machine.

Optional:

• focus_host: IP to focus on (filters summaries around that host)
• time_window: A display filter time window if user specifies (best-effort guidance only)

How to run (terminal)

{baseDir}/scripts/analyze.sh "/full/path/to/capture.pcapng"