Help in Analyzing PCAP files

Eric used Ask the Experts™
I need to analyze PCAP files and APIs for an MVNE I am working with.  I can definitely see some things in the PCAP files they sent, but I would like to be able to do a lot more and more deeply analyze it.  I have been using wireshark to break it down but what is the best way to attack analyzing these files.  Is there a resource out there, program, best practice, etc.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
WinPcap, and Npcap provide the packet-capture and filtering engines of many open-source and commercial network tools. I have use WinPcap with Wireshark in a prior time.  I use Comm View (Tamosoft) now.

Here is a good selection of packet sniffers (which you need to see the packet capture in WinPcap.

Of these, Wireshark is probably best for you

Here is an online tool for analyzing Pcap packets

Here is a tutorial on advanced Wireshark techniques.
nociSoftware Engineer
Distinguished Expert 2018

First you need to have an idea WHAT you want to measure.... Then you can select tools [ filters in wireshark ] to (dis)prove it.

Step 1: Identify what is the trouble you need to investigate:
"cannot logon"..., "cannot transfer files"..., Sounds are distorted, video is "blocky"
Step 2: determine network interaction, you need to establish how this interacts  with the network, f.e.: Filetransfer  (FTP, FTPS, SFTP, SCP, SMB, CIFS, NFS, ...)
Streams  (VOIP, VIDEO tream), ...
Step 3:  Search for anomalies, you can search for patterns that are not to be expected for such network interactions.
- packet loss  (most notable for seeing retransmits, and duplicate ack's)
- queries to non existent servers,   (no answers)
- jitter? (for voip, ntp)    measure interpacket timing for vieo/audio packets.
Kevin StockmarSr. Network Engineer

I need to analyze PCAP files just about everyday and here is the approach that I take.

1. What is my objective for looking at the PCAP? Troubleshoot slowness, validate two-way traffic, troubleshoot no connectivity, etc.
3. What is the source and destination IP's?
4. What is the application that they are using?
5. What protocol does the application talk on? (TCP/UDP/ESP/AH etc...)
6. Once you have all the information you can apply wireshark filters to narrow down the traffic to a single conversation
7. After that you would need to review the conversation for the problem identified in step 1.
           7a. Do you see a lot of time delay in client / server responses?
           7b. Is there a malformed payload
           7c. Do you see out of order packets
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

nociSoftware Engineer
Distinguished Expert 2018

Ok, this a continuous/recurring task that does beg for automation.

Wireshark has a companion tool called tshark. (it should be part of the toolset).
tshark is a command line oriented tool that can be called from scripts. So it can be used to pre-process raw .pcap files.

You can probably do this kind of analysis best on a linux/unix system as there are more tools available there that can help disecting files.
(man tshark)

From Wireshark you may be able to use display filter macros,
Wireshark has some scripting capabilities using the script language LUA ,

That can also help develop some tools for recurring tasks.


Thanks Guys.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

You are very welcome and happy to assist

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial