fatcousin
// evidence type

pcap / network capture

wireshark export · firewall pcap · IDS pull · netflow adjunct. reconstruct flows, extract creds, fingerprint C2 beacons — all from the capture file.

tools
16
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. pcap readerdrop a .pcap or .pcapng · parse packets · filter by protocol · extract HTTP · DNS · plaintext credentials · runs locally
  2. pcap / pcapng analyzerdrop a pcap or pcapng file · packet list · protocol breakdown · tcp stream reconstruction · dns queries · http requests · connection graph · runs locally
  3. PCAP network flow reconstructordrop pcap or pcapng file · parse all packets · reconstruct tcp and udp flows · compute flow statistics · surface top talkers unusual ports and flow anomalies · runs locally
  4. netflow analyzerdrop netflow v5 v9 or ipfix exports · traffic patterns · top talkers · protocol distribution · geographic connections · runs locally
  5. zeek / bro log analyzerdrop zeek tsv logs · conn dns http ssl files weird · correlate across logs · connection timeline · ioc extraction · runs locally
  6. tls ja3 fingerprinterdrop a pcap file · extract tls client hellos · compute ja3 fingerprints · identify known clients and malware · database of known fingerprints · runs locally
  7. network beaconing detectordrop connection logs or PCAP · statistical analysis of connection intervals per host · jitter detection · C2 beaconing patterns · periodic callback identification · export CSV · runs locally
  8. dns query analyzerdrop a PCAP or paste DNS log · extract queries · detect DGA patterns · DNS tunneling · high-frequency domains · suspicious TLDs · export CSV · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. pcap cleartext credential extractordrop pcap or pcapng · extract cleartext ftp smtp pop3 imap http basic telnet credentials · tcp reassembly · export csv · runs locally
  2. pcap email artifact extractordrop pcap or pcapng · smtp pop3 imap tcp reassembly · sender recipient subject attachments · starttls detection · export csv · runs locally
  3. pcap malware family fingerprinterdrop pcap · ja3 imphash sni and http signatures · malware family attribution from network traffic · export csv · runs locally
  4. pcap file transfer reconstructordrop pcap or pcapng · reconstruct http ftp smb file transfers · sha256 magic bytes · download reconstructed files · export csv · runs locally
  5. http access log analyzerdrop apache nginx iis access logs · request timeline · top ips · error analysis · scanner detection · web shell access · sqli xss patterns · runs locally
  6. nginx / apache log analyzerdrop access.log · parse combined log format · top IPs · paths · status codes · user agents · detect scanning · brute force · 404 storms · runs locally
  7. passive os fingerprinter from pcapdrop a pcap file · reconstruct the operating system of every host from tcp/ip stack behavior · ttl values · window sizes · tcp options ordering · ip flag patterns · no active probing · identify os from existing captured traffic · runs locally
  8. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready