In the previous post we captured some network traffic and tried out some filters which are available using tcpdump and tshark. This post will show you how you can ensure, that data of interest is being gathered without too much noise which makes it harder to analyse.
Post-analysis of a PCAP file using TShark #
I’ll demonstrate how you can extract information from a single pcap file using TShark. Information and examples cover discovery of:
- conversation partners
- endpoints
- top talkers
- connection initiators
- protocol distribution
- DNS activity
- HTTP URLs
- Hosts mapping
Prerequisites #
- TShark (Wireshark command-line). Version differences may change available fields and output formatting.
- Basic shell utilities: sort, uniq, awk, grep, head, sha256sum (examples use POSIX-like shell).
1 — Conversations and connections #
1.1 IP conversations #
List pairwise IPv4 conversation statistics (frames, bytes, duration).
tshark -r capture.pcap -qz conv,ip
Output shows endpoints in each conversation, frame/byte counts in each direction and total, relative start time and duration. Use this to identify dominant remote peers and large-volume flows.
1.2 TCP conversations #
List per-TCP-socket conversations (including ports).
tshark -r capture.pcap -qz conv,tcp
Reveals TCP endpoints (ip:port), transfer sizes and durations. Useful to correlate application ports to endpoints identified in IP conversation summary.
1.3 Top talkers (IPv4) #
Quick list of most frequent source IP addresses in the capture.
tcpdump -tnn -r capture.pcap | awk -F ">" '{print $1}' \
| grep '^IP[[:space:]]' \
| awk -F "." '{print $1"."$2"."$3"."$4}' \
| sort | uniq -c | sort -nr | head -20
High-frequency addresses may indicate servers, services, or noisy hosts.
1.4 Endpoints initiating most connections #
Count endpoints that send TCP SYN (without ACK) — likely connection initiators.
tshark -r capture.pcap -T fields -e ip.src "tcp.flags.syn==1 && tcp.flags.ack==0" \
| sort | uniq -c | sort -rn | head -20
Identifies clients or scanning activity. Combine with conv,tcp output to inspect specific sessions.
1.5 Endpoint packet/byte totals #
List per-endpoint packet and byte counters.
tshark -r capture.pcap -qz endpoints,ip
Filter by source subnet (example: 10.26.10.0/24):
tshark -r capture.pcap -qz endpoints,ip,'ip.src==10.26.10.0/24'
Shows per-IP counts and transmit/receive split. Useful for sizing and for spotting asymmetric flows.
2 — DNS analysis #
2.1 DNS protocol statistics #
Aggregate DNS metrics and distributions.
tshark -r capture.pcap -qz dns,tree
Provides counts for response codes, query types (A, PTR, SOA, AAAA, etc.), average payload sizes, query name lengths and response times. Use to detect anomalies such as excessive NXDOMAINs, unusually long QNAMEs, or high frequency of dynamic updates.
2.2 DNS endpoints and volumes #
List endpoints generating DNS queries (UDP dst port 53 example).
tshark -r capture.pcap -qz endpoints,ip,'ip.src==10.26.10.0/24 && udp.dstport==53'
Shows which hosts in the subnet performed DNS traffic and the volume per host.
2.3 Most frequent DNS queries #
Extract and rank DNS query names.
tshark -n -T fields -e dns.qry.name -r capture.pcap \
| grep -v '^$' | sort | uniq -c | sort -rn | head -50
Reveals the most frequently requested domains — legitimate infrastructure names, telemetry endpoints, or suspicious domains (e.g., many unique subdomains may indicate tunneling).
3 — HTTP and application-layer artifacts #
3.1 HTTP request URIs #
Extract full HTTP request URIs observed in the capture.
tshark -n -r capture.pcap -T fields -e http.request.full_uri \
| grep -v '^$' | sort | uniq -c | sort -rn | head -50
Notes: TShark may warn if capture is truncated; results remain useful when requests are fully present. Use discovered URIs to prioritize file retrieval or investigation of specific hosts.
3.2 File and object extraction (high-level) #
Use Suricata, Zeek, or TShark frame offsets to extract file payloads. Example (conceptual):
- Identify HTTP response frames with content.
- Use editcap or tcpdump with frame numbers/offsets to extract segments for further scanning. (Commands for extraction are environment-specific; prefer Suricata/Zeek for automated file extraction.)
4 — Protocol hierarchy and distribution #
4.1 Protocol hierarchy statistics #
Summary of protocols by frames and bytes.
tshark -r capture.pcap -qz io,phs
Lists ethernet, VLAN, IP, and higher-level protocols (ICMP, UDP, DNS, NTP, etc.) with counts and byte totals. Use to confirm expected protocol mix and to detect unusual protocol usage.
5 — Miscellaneous useful outputs #
5.1 Hosts file generation #
TShark can create a simple hosts-like mapping of observed DNS names and IPs.
tshark -r capture.pcap -qz hosts
Output: Gives you list of ip-address and hostname in standard Linux /etc/hosts format.
5.2 Protocol-level warnings and errors #
If you do not use full packet capture (-s0), tshark is likely to warn you about truncated and corrupted packets. This is normal and in most cases it can be ignored, since we are more interested about metadata rather than contents of the captured packets. You might want to keep this in mind when you are reading stats about packet counts etc.
6 — Workflows and investigative notes #
- Start with high-level metrics (conv, endpoints, io,phs) to understand scale and dominant peers.
- Drill down to per-protocol summaries (dns, http) for specific evidence.
- Cross-reference: combine endpoints that initiate many TCP connections with DNS queries and HTTP URIs to identify likely clients and the services they consume.
- When investigating suspicious domains: extract the flow (via conn or tcp conv output), locate associated HTTP request/response frames, and extract any transferred files for hashing and scanning.
- Use filters on tshark -r capture.pcap -Y ‘
’ to extract only relevant packets into a trimmed pcap for focused analysis:
tshark -r capture.pcap -Y 'ip.addr==10.26.20.50 && tcp.port==80' -w trimmed.pcap
7 — Example workflow for basic analysis #
- Summarize top conversations:
tshark -r capture.pcap -qz conv,ip tshark -r capture.pcap -qz conv,tcp - Identify top talkers and connection initiators:
tcpdump -tnn -r capture.pcap | awk -F ">" '{print $1}' | ... | head -20 tshark -r capture.pcap -T fields -e ip.src "tcp.flags.syn==1 && tcp.flags.ack==0" | sort | uniq -c | sort -rn | head -20 - Obtain protocol distribution:
tshark -r capture.pcap -qz io,phs - Inspect DNS for suspicious patterns:
tshark -r capture.pcap -qz dns,tree tshark -n -T fields -e dns.qry.name -r capture.pcap | sort | uniq -c | sort -rn | head -50 - Extract interesting HTTP URIs and use frame context to extract content:
tshark -n -r capture.pcap -T fields -e http.request.full_uri | grep -v '^$' | sort | uniq -c | sort -rn | head -50 - Trim and extract specific flows for deeper analysis:
tshark -r capture.pcap -Y 'ip.addr==<host> && tcp.port==<port>' -w flow.pcap
8 — Best practices and caveats #
- Validate capture integrity: truncated or corrupted pcaps can produce misleading metrics.
- Time synchronization: ensure capture timestamps are correct and timezone-aware if you are correlating data with logs.
- Hidden or encrypted content: TLS and other encrypted protocols limit visibility; rely on metadata (SNI, certificate info, endpoints, sizes, timing).
- Sampling bias: a single capture is a snapshot — avoid overgeneralizing about long-term behavior.
9 — Summary #
TShark provides concise, scriptable commands to extract a broad set of operational and forensic information from a pcap file: pairwise conversations, per-endpoint volumes, protocol composition, DNS activity, HTTP artifacts, and a simple hosts mapping. The commands in this document form a minimal, repeatable workstream to rapidly triage and prioritize further analysis. Use the outputs to guide deeper extraction (files, payloads) or to seed alerts and endpoint investigations.
That covers the fundamentals of network traffic capture and analysis. These techniques form the foundation for deeper network security analysis and troubleshooting.