Skip to content
All Skills

Analyzing Network Traffic Of Malware

Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.

Security & Compliance|v1|Updated 7/2/2026|GitHub source
MCP get_skill({ skillId: "analyzing-network-traffic-of-malware-1506199e" })

Use this skill with your agent

Create a free account and connect via MCP

Get Started Free
# Analyzing Network Traffic of Malware

## When to Use

- Sandbox execution has captured a PCAP file and the network behavior needs detailed analysis
- Identifying the C2 protocol structure for writing network detection signatures
- Determining what data the malware exfiltrates and to which external infrastructure
- Analyzing DNS tunneling, domain generation algorithms (DGA), or fast-flux behavior
- Creating Suricata/Snort signatures based on observed malware network patterns

**Do not use** for host-based analysis of malware behavior; use Cuckoo sandbox reports or Volatility memory analysis for process-level activity.

## Prerequisites

- Wireshark 4.x installed for interactive PCAP analysis
- tshark (Wireshark CLI) for scripted packet extraction
- Zeek installed for automated metadata generation from PCAPs
- Suricata with ET Open/ET Pro rulesets for signature matching
- NetworkMiner for file extraction and credential detection from PCAPs
- Python 3.8+ with `scapy` and `dpkt` for programmatic packet analysis

## Workflow

### Step 1: Initial PCAP Overview

Get a high-level understanding of the network traffic:

```bash
# Capture statistics
capinfos malware.pcap

# Protocol hierarchy
tshark -r malware.pcap -q -z io,phs

# Endpoint statistics (top talkers)
tshark -r malware.pcap -q -z endpoints,ip

# Conversation statistics
tshark -r malware.pcap -q -z conv,tcp

# DNS query summary
tshark -r malware.pcap -q -z dns,tree
```

### Step 2: Analyze DNS Activity

Examine DNS queries for DGA, tunneling, or C2 domain resolution:

```bash
# Extract all DNS queries

Continue reading

Sign up for a free account to view the full skill content

Login / Register
#mukul-cybersecurity-skills#security#cybersecurity#malware#analysispythonwiresharkzeeksuricatanetworkminerscapydpkt
Analyzing Network Traffic Of Malware - AgentArmory Skill — AgentArmory