MCP.directory

wireshark-network-traffic-analysis

by davila7
0
0
Source

This skill should be used when the user asks to "analyze network traffic with Wireshark", "capture packets for troubleshooting", "filter PCAP files", "follow TCP/UDP streams", "detect network anomalies", "investigate suspicious traffic", or "perform protocol analysis". It provides comprehensive techniques for network packet capture, filtering, and analysis using Wireshark.

Install

mkdir -p .claude/skills/wireshark-network-traffic-analysis && curl -L -o skill.zip "https://mcp.directory/api/skills/download/7561" && unzip -o skill.zip -d .claude/skills/wireshark-network-traffic-analysis && rm skill.zip

Installs to .claude/skills/wireshark-network-traffic-analysis

About this skill

Wireshark Network Traffic Analysis

Purpose

Execute comprehensive network traffic analysis using Wireshark to capture, filter, and examine network packets for security investigations, performance optimization, and troubleshooting. This skill enables systematic analysis of network protocols, detection of anomalies, and reconstruction of network conversations from PCAP files.

Inputs / Prerequisites

Required Tools

  • Wireshark installed (Windows, macOS, or Linux)
  • Network interface with capture permissions
  • PCAP/PCAPNG files for offline analysis
  • Administrator/root privileges for live capture

Technical Requirements

  • Understanding of network protocols (TCP, UDP, HTTP, DNS)
  • Familiarity with IP addressing and ports
  • Knowledge of OSI model layers
  • Understanding of common attack patterns

Use Cases

  • Network troubleshooting and connectivity issues
  • Security incident investigation
  • Malware traffic analysis
  • Performance monitoring and optimization
  • Protocol learning and education

Outputs / Deliverables

Primary Outputs

  • Filtered packet captures for specific traffic
  • Reconstructed communication streams
  • Traffic statistics and visualizations
  • Evidence documentation for incidents

Core Workflow

Phase 1: Capturing Network Traffic

Start Live Capture

Begin capturing packets on network interface:

1. Launch Wireshark
2. Select network interface from main screen
3. Click shark fin icon or double-click interface
4. Capture begins immediately

Capture Controls

ActionShortcutDescription
Start/Stop CaptureCtrl+EToggle capture on/off
Restart CaptureCtrl+RStop and start new capture
Open PCAP FileCtrl+OLoad existing capture file
Save CaptureCtrl+SSave current capture

Capture Filters

Apply filters before capture to limit data collection:

# Capture only specific host
host 192.168.1.100

# Capture specific port
port 80

# Capture specific network
net 192.168.1.0/24

# Exclude specific traffic
not arp

# Combine filters
host 192.168.1.100 and port 443

Phase 2: Display Filters

Basic Filter Syntax

Filter captured packets for analysis:

# IP address filters
ip.addr == 192.168.1.1              # All traffic to/from IP
ip.src == 192.168.1.1               # Source IP only
ip.dst == 192.168.1.1               # Destination IP only

# Port filters
tcp.port == 80                       # TCP port 80
udp.port == 53                       # UDP port 53
tcp.dstport == 443                   # Destination port 443
tcp.srcport == 22                    # Source port 22

Protocol Filters

Filter by specific protocols:

# Common protocols
http                                  # HTTP traffic
https or ssl or tls                   # Encrypted web traffic
dns                                   # DNS queries and responses
ftp                                   # FTP traffic
ssh                                   # SSH traffic
icmp                                  # Ping/ICMP traffic
arp                                   # ARP requests/responses
dhcp                                  # DHCP traffic
smb or smb2                          # SMB file sharing

TCP Flag Filters

Identify specific connection states:

tcp.flags.syn == 1                   # SYN packets (connection attempts)
tcp.flags.ack == 1                   # ACK packets
tcp.flags.fin == 1                   # FIN packets (connection close)
tcp.flags.reset == 1                 # RST packets (connection reset)
tcp.flags.syn == 1 && tcp.flags.ack == 0  # SYN-only (initial connection)

Content Filters

Search for specific content:

frame contains "password"            # Packets containing string
http.request.uri contains "login"    # HTTP URIs with string
tcp contains "GET"                   # TCP packets with string

Analysis Filters

Identify potential issues:

tcp.analysis.retransmission          # TCP retransmissions
tcp.analysis.duplicate_ack           # Duplicate ACKs
tcp.analysis.zero_window             # Zero window (flow control)
tcp.analysis.flags                   # Packets with issues
dns.flags.rcode != 0                 # DNS errors

Combining Filters

Use logical operators for complex queries:

# AND operator
ip.addr == 192.168.1.1 && tcp.port == 80

# OR operator
dns || http

# NOT operator
!(arp || icmp)

# Complex combinations
(ip.src == 192.168.1.1 || ip.src == 192.168.1.2) && tcp.port == 443

Phase 3: Following Streams

TCP Stream Reconstruction

View complete TCP conversation:

1. Right-click on any TCP packet
2. Select Follow > TCP Stream
3. View reconstructed conversation
4. Toggle between ASCII, Hex, Raw views
5. Filter to show only this stream

Stream Types

StreamAccessUse Case
TCP StreamFollow > TCP StreamWeb, file transfers, any TCP
UDP StreamFollow > UDP StreamDNS, VoIP, streaming
HTTP StreamFollow > HTTP StreamWeb content, headers
TLS StreamFollow > TLS StreamEncrypted traffic (if keys available)

Stream Analysis Tips

  • Review request/response pairs
  • Identify transmitted files or data
  • Look for credentials in plaintext
  • Note unusual patterns or commands

Phase 4: Statistical Analysis

Protocol Hierarchy

View protocol distribution:

Statistics > Protocol Hierarchy

Shows:
- Percentage of each protocol
- Packet counts
- Bytes transferred
- Protocol breakdown tree

Conversations

Analyze communication pairs:

Statistics > Conversations

Tabs:
- Ethernet: MAC address pairs
- IPv4/IPv6: IP address pairs
- TCP: Connection details (ports, bytes, packets)
- UDP: Datagram exchanges

Endpoints

View active network participants:

Statistics > Endpoints

Shows:
- All source/destination addresses
- Packet and byte counts
- Geographic information (if enabled)

Flow Graph

Visualize packet sequence:

Statistics > Flow Graph

Options:
- All packets or displayed only
- Standard or TCP flow
- Shows packet timing and direction

I/O Graphs

Plot traffic over time:

Statistics > I/O Graph

Features:
- Packets per second
- Bytes per second
- Custom filter graphs
- Multiple graph overlays

Phase 5: Security Analysis

Detect Port Scanning

Identify reconnaissance activity:

# SYN scan detection (many ports, same source)
ip.src == SUSPECT_IP && tcp.flags.syn == 1

# Review Statistics > Conversations for anomalies
# Look for single source hitting many destination ports

Identify Suspicious Traffic

Filter for anomalies:

# Traffic to unusual ports
tcp.dstport > 1024 && tcp.dstport < 49152

# Traffic outside trusted network
!(ip.addr == 192.168.1.0/24)

# Unusual DNS queries
dns.qry.name contains "suspicious-domain"

# Large data transfers
frame.len > 1400

ARP Spoofing Detection

Identify ARP attacks:

# Duplicate ARP responses
arp.duplicate-address-frame

# ARP traffic analysis
arp

# Look for:
# - Multiple MACs for same IP
# - Gratuitous ARP floods
# - Unusual ARP patterns

Examine Downloads

Analyze file transfers:

# HTTP file downloads
http.request.method == "GET" && http contains "Content-Disposition"

# Follow HTTP Stream to view file content
# Use File > Export Objects > HTTP to extract files

DNS Analysis

Investigate DNS activity:

# All DNS traffic
dns

# DNS queries only
dns.flags.response == 0

# DNS responses only
dns.flags.response == 1

# Failed DNS lookups
dns.flags.rcode != 0

# Specific domain queries
dns.qry.name contains "domain.com"

Phase 6: Expert Information

Access Expert Analysis

View Wireshark's automated findings:

Analyze > Expert Information

Categories:
- Errors: Critical issues
- Warnings: Potential problems
- Notes: Informational items
- Chats: Normal conversation events

Common Expert Findings

FindingMeaningAction
TCP RetransmissionPacket resentCheck for packet loss
Duplicate ACKPossible lossInvestigate network path
Zero WindowBuffer fullCheck receiver performance
RSTConnection resetCheck for blocks/errors
Out-of-OrderPackets reorderedUsually normal, excessive is issue

Quick Reference

Keyboard Shortcuts

ActionShortcut
Open fileCtrl+O
Save fileCtrl+S
Start/Stop captureCtrl+E
Find packetCtrl+F
Go to packetCtrl+G
Next packet
Previous packet
First packetCtrl+Home
Last packetCtrl+End
Apply filterEnter
Clear filterCtrl+Shift+X

Common Filter Reference

# Web traffic
http || https

# Email
smtp || pop || imap

# File sharing  
smb || smb2 || ftp

# Authentication
ldap || kerberos

# Network management
snmp || icmp

# Encrypted
tls || ssl

Export Options

File > Export Specified Packets    # Save filtered subset
File > Export Objects > HTTP       # Extract HTTP files
File > Export Packet Dissections   # Export as text/CSV

Constraints and Guardrails

Operational Boundaries

  • Capture only authorized network traffic
  • Handle captured data according to privacy policies
  • Avoid capturing sensitive credentials unnecessarily
  • Properly secure PCAP files containing sensitive data

Technical Limitations

  • Large captures consume significant memory
  • Encrypted traffic content not visible without keys
  • High-speed networks may drop packets
  • Some protocols require plugins for full decoding

Best Practices

  • Use capture filters to limit data collection
  • Save captures regularly during long sessions
  • Use display filters rather than deleting packets
  • Document analysis findings and methodology

Examples

Example 1: HTTP Credential Analysis

Scenario: Investigate potential plaintext credential transmission

1. Filter: http.request.method

---

*Content truncated.*

More by davila7

View all skills by davila7

scroll-experience

davila7

Expert in building immersive scroll-driven experiences - parallax storytelling, scroll animations, interactive narratives, and cinematic web experiences. Like NY Times interactives, Apple product pages, and award-winning web experiences. Makes websites feel like experiences, not just pages. Use when: scroll animation, parallax, scroll storytelling, interactive story, cinematic website.

10968

software-architecture

davila7

Guide for quality focused software architecture. This skill should be used when users want to write code, design architecture, analyze code, in any case that relates to software development.

14749

game-development

davila7

Game development orchestrator. Routes to platform-specific skills based on project needs.

10630

senior-fullstack

davila7

Comprehensive fullstack development skill for building complete web applications with React, Next.js, Node.js, GraphQL, and PostgreSQL. Includes project scaffolding, code quality analysis, architecture patterns, and complete tech stack guidance. Use when building new projects, analyzing code quality, implementing design patterns, or setting up development workflows.

9325

ml-paper-writing

davila7

Write publication-ready ML/AI papers for NeurIPS, ICML, ICLR, ACL, AAAI, COLM. Use when drafting papers from research repos, structuring arguments, verifying citations, or preparing camera-ready submissions. Includes LaTeX templates, reviewer guidelines, and citation verification workflows.

7823

senior-security

davila7

Comprehensive security engineering skill for application security, penetration testing, security architecture, and compliance auditing. Includes security assessment tools, threat modeling, crypto implementation, and security automation. Use when designing security architecture, conducting penetration tests, implementing cryptography, or performing security audits.

7921

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

9521,094

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

846846

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

571700

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

548492

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

673466

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

514280

Related MCP Servers

Browse all servers
Figma ContextFigma Context

Unlock seamless Figma to code: streamline Figma to HTML with Framelink MCP Server for fast, accurate design-to-code work

13,4900 tools
Laravel BoostLaravel Boost

Official Laravel-focused MCP server for augmenting AI-powered local development. Provides deep context about your Larave

3,3240 tools
GrafanaGrafana

Safely connect cloud Grafana to AI agents with MCP: query, inspect, and manage Grafana resources using simple, focused o

2,4940 tools
PerplexityPerplexity

Empower your workflows with Perplexity Ask MCP Server—seamless integration of AI research tools for real-time, accurate

1,9990 tools
Azure DevOpsAzure DevOps

Boost your productivity by managing Azure DevOps projects, pipelines, and repos in VS Code. Streamline dev workflows wit

1,37377 tools
Ref ToolsRef Tools

Boost AI coding agents with Ref Tools—efficient documentation access for faster, smarter code generation than GitHub Cop

1,0040 tools

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.