# Analyze Network Captures with TShark

Network investigations require fast packet filtering, protocol inspection, and careful evidence handling. This skill guides authorized TShark workflows for capture analysis, forensic extraction, and incident response reporting.

## Install

```bash
npx skillstore add agentsecops/analysis-tshark
```

## Metadata

- - Slug: agentsecops-analysis-tshark
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/offsec/analysis-tshark
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: high
- - Risk factors: external\_commands, network, filesystem, env\_access, scripts
- - Quality score: 38
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/agentsecops-analysis-tshark
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-analysis-tshark/manifest

## Capabilities

- Guide live packet capture with TShark interface, duration, count, and ring buffer options.
- Apply capture and display filters for HTTP, DNS, TLS, SMB, FTP, and wireless traffic.
- Extract indicators, protocol fields, files, and timelines from existing packet captures.
- Support incident response workflows for beaconing, port scanning, and data transfer analysis.
- Document legal, privacy, retention, and chain-of-custody considerations for packet captures.

## Use Cases

- Triage Suspicious Traffic: Filter a capture for beaconing, unusual DNS queries, large uploads, and suspicious user agents.
- Reconstruct Forensic Evidence: Extract timelines, conversations, protocol fields, and files from a packet capture during an investigation.
- Validate Network Controls: Check whether sensitive protocols, weak TLS settings, or plaintext credentials appear on approved test networks.

## Prompt Templates

### Inspect a Capture

```
I have an authorized packet capture named capture.pcap. Help me inspect protocols, top endpoints, and unusual traffic with TShark.
```

### Build Display Filters

```
Create TShark display filters for DNS, HTTP, TLS handshakes, and failed TCP connections in an authorized investigation.
```

### Extract Incident Indicators

```
Given a packet capture from an approved incident response case, guide me through extracting IPs, domains, user agents, and suspicious transfers.
```

### Design a Forensic Workflow

```
Design a defensible TShark workflow for preserving evidence, minimizing sensitive data exposure, extracting artifacts, and documenting findings.
```

## Limitations

- Requires local TShark or Wireshark tooling and appropriate packet capture permissions.
- Cannot determine whether a capture is legally authorized without user-provided scope.
- May expose credentials, personal data, and private communications in packet captures.
- Does not replace specialized malware analysis, SIEM correlation, or legal review.

## Best Practices

- Confirm written authorization, scope, retention, and privacy requirements before capturing traffic.
- Use narrow filters, short capture windows, and encrypted storage to reduce sensitive data exposure.
- Redact credentials, personal data, and private payloads before sharing analysis results.

## Anti Patterns

- Capturing traffic on networks, interfaces, or devices outside the approved investigation scope.
- Extracting or sharing credentials from packet captures without a documented forensic need.
- Running copied shell pipelines or remote installers without review and version pinning.

## Security Audit

- - Safe to publish: false
- - Audited at: 2026-06-28T06:07:59.466\+00:00
- - Summary: Static findings are mostly documentation and template examples, but the core skill intentionally provides privileged packet capture, credential extraction, and TLS decryption workflows. No prompt injection or covert exfiltration was found, so this is not blocked as malicious. The dual-use credential and network interception capabilities make it unsuitable for publication without strong gating and authorization controls.

## Stats

- - Views: 331
- - Downloads: 7
- - Favorites: 1
- - Popularity score: 0