Network Forensics and PCAP Analysis: Finding the Attack in the Packet Capture

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Packet capture analysis is the most complete record of what happened on the network. Endpoints log what they know happened locally. SIEM correlates events across systems. Network packet capture contains everything that was transmitted — including data that was encrypted end-to-end (observable at the metadata level even if not readable), protocols that generate no endpoint logs, and lateral movement across network segments.
Not every incident requires PCAP analysis — endpoint forensics and log analysis are often sufficient. But when an investigation needs to establish: what data left the network, how C2 communication was structured, what credentials were transmitted in cleartext, or how an attacker moved laterally across network segments, PCAP is the evidence source that provides the answer. This guide covers the practical workflow.
Capturing traffic: where and how
Before analysis, you need the PCAP file. The capture point determines what traffic is visible.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Wireshark: the essential filters for incident response
Wireshark's display filter language is the core skill for PCAP analysis. These filters address the most common incident response scenarios.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
tshark: command-line PCAP analysis for large files
Wireshark's GUI becomes impractical for PCAP files above 1-2GB. tshark (Wireshark's command-line interface) processes large captures efficiently and supports pipe-based workflows.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Zeek (Bro): automatic PCAP-to-log conversion
Zeek is an open source network analysis framework that processes PCAP files and produces structured logs — conn.log (all connections), dns.log, http.log, ssl.log, files.log, and others — that are far easier to query than raw PCAP. Installing Zeek and running it against a PCAP file reduces analysis time dramatically.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
PCAP analysis answers the questions that endpoint and SIEM logs cannot: what data left the network, how the attacker communicated with C2, and what the lateral movement path looked like at the network level. Wireshark's display filters and conversation statistics handle most triage use cases in minutes. tshark and Zeek handle large captures efficiently without requiring the full GUI. For organizations that do not currently capture network traffic, a Security Onion deployment on the perimeter or a cloud-based NDR sensor is the infrastructure investment that makes PCAP analysis available retroactively during the next incident.
Frequently asked questions
How much storage does full packet capture require?
Full-packet capture volume depends on network throughput. At 1 Gbps sustained traffic, full capture generates approximately 450GB per hour. Enterprise networks typically sustain 2-10% of peak bandwidth during normal hours. Practical storage for a 1 Gbps perimeter with 10% average utilization and 30-day retention is approximately 30-40TB. Most organizations implement capture on trigger (capture only when specific signatures fire) or metadata-only (Zeek logs without raw packets) rather than full-packet indefinite retention. 7-day full-packet retention with 90-day metadata retention is a common operational balance.
Can you see encrypted HTTPS traffic in Wireshark?
Without the server's private key or a TLS session key log file, Wireshark cannot decrypt TLS traffic. What you can see: source and destination IPs and ports, TLS handshake metadata (Server Name Indication field reveals the domain even in encrypted traffic, JA3/JA3S fingerprints identify the TLS implementation), packet sizes and timing (beacon pattern detection works on encrypted traffic), and certificate details (the server's certificate is transmitted unencrypted). For incident response, SSL inspection at a proxy or the server's private key are required for content decryption.
What is the difference between Zeek, Suricata, and Snort for network analysis?
Zeek (formerly Bro) is a network analysis framework that produces structured logs from PCAP — focused on network metadata and protocol analysis, not signature detection. Suricata and Snort are signature-based IDS/IPS engines — they alert on traffic that matches known attack signatures. For incident response PCAP analysis, Zeek is typically more useful because it produces queryable logs for all connections and protocols rather than only alerting on signature matches. In production deployment, run both: Zeek for metadata and protocol analysis, Suricata for signature-based alerting.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
