40%
of incident investigations reveal C2 or exfiltration activity in PCAP that was not captured by endpoint or SIEM logs
Wireshark
the de facto standard for PCAP analysis — open source, cross-platform, and the tool used in over 90% of network forensics workflows
tshark
Wireshark's command-line counterpart — essential for processing large PCAP files (>1GB) where the GUI becomes impractical
Full packet capture
NetworkMiner, Zeek (Bro), and Suricata convert raw PCAP to structured logs automatically — reducing manual analysis time by 60-70% for large captures

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Packet capture analysis is the most complete record of what happened on the network. Endpoints log what they know happened locally. SIEM correlates events across systems. Network packet capture contains everything that was transmitted — including data that was encrypted end-to-end (observable at the metadata level even if not readable), protocols that generate no endpoint logs, and lateral movement across network segments.

Not every incident requires PCAP analysis — endpoint forensics and log analysis are often sufficient. But when an investigation needs to establish: what data left the network, how C2 communication was structured, what credentials were transmitted in cleartext, or how an attacker moved laterally across network segments, PCAP is the evidence source that provides the answer. This guide covers the practical workflow.

Capturing traffic: where and how

Before analysis, you need the PCAP file. The capture point determines what traffic is visible.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Wireshark: the essential filters for incident response

Wireshark's display filter language is the core skill for PCAP analysis. These filters address the most common incident response scenarios.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

tshark: command-line PCAP analysis for large files

Wireshark's GUI becomes impractical for PCAP files above 1-2GB. tshark (Wireshark's command-line interface) processes large captures efficiently and supports pipe-based workflows.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Zeek (Bro): automatic PCAP-to-log conversion

Zeek is an open source network analysis framework that processes PCAP files and produces structured logs — conn.log (all connections), dns.log, http.log, ssl.log, files.log, and others — that are far easier to query than raw PCAP. Installing Zeek and running it against a PCAP file reduces analysis time dramatically.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

PCAP analysis answers the questions that endpoint and SIEM logs cannot: what data left the network, how the attacker communicated with C2, and what the lateral movement path looked like at the network level. Wireshark's display filters and conversation statistics handle most triage use cases in minutes. tshark and Zeek handle large captures efficiently without requiring the full GUI. For organizations that do not currently capture network traffic, a Security Onion deployment on the perimeter or a cloud-based NDR sensor is the infrastructure investment that makes PCAP analysis available retroactively during the next incident.

Frequently asked questions

How much storage does full packet capture require?

Full-packet capture volume depends on network throughput. At 1 Gbps sustained traffic, full capture generates approximately 450GB per hour. Enterprise networks typically sustain 2-10% of peak bandwidth during normal hours. Practical storage for a 1 Gbps perimeter with 10% average utilization and 30-day retention is approximately 30-40TB. Most organizations implement capture on trigger (capture only when specific signatures fire) or metadata-only (Zeek logs without raw packets) rather than full-packet indefinite retention. 7-day full-packet retention with 90-day metadata retention is a common operational balance.

Can you see encrypted HTTPS traffic in Wireshark?

Without the server's private key or a TLS session key log file, Wireshark cannot decrypt TLS traffic. What you can see: source and destination IPs and ports, TLS handshake metadata (Server Name Indication field reveals the domain even in encrypted traffic, JA3/JA3S fingerprints identify the TLS implementation), packet sizes and timing (beacon pattern detection works on encrypted traffic), and certificate details (the server's certificate is transmitted unencrypted). For incident response, SSL inspection at a proxy or the server's private key are required for content decryption.

What is the difference between Zeek, Suricata, and Snort for network analysis?

Zeek (formerly Bro) is a network analysis framework that produces structured logs from PCAP — focused on network metadata and protocol analysis, not signature detection. Suricata and Snort are signature-based IDS/IPS engines — they alert on traffic that matches known attack signatures. For incident response PCAP analysis, Zeek is typically more useful because it produces queryable logs for all connections and protocols rather than only alerting on signature matches. In production deployment, run both: Zeek for metadata and protocol analysis, Suricata for signature-based alerting.

Sources & references

  1. Wireshark Documentation
  2. SANS Network Forensics Cheat Sheet
  3. SecurityOnion Network Security Monitoring

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.