- Posted on
- • Artificial Intelligence
Artificial Intelligence Wireshark Analysis
- Author
-
-
- User
- linuxbash
- Posts by this author
- Posts by this author
-
Artificial Intelligence Wireshark Analysis: Turn PCAP Overwhelm into Fast, Actionable Insights (from Bash)
Ever opened a multi‑gigabyte pcap and felt that sinking “where do I even start?” feeling? Wireshark is phenomenal for deep dives, but incident responders and sysadmins often need triage first: What’s weird? Which flows deserve attention? That’s where a pinch of AI—applied right from your Linux terminal—can dramatically narrow the search space before you even click the shark fin.
In this guide, we’ll combine Wireshark/TShark with lightweight machine learning to:
Export structured features from packet captures
Detect anomalous flows using a simple Isolation Forest model
Pivot back into Wireshark/TShark with precise filters for rapid investigation
You’ll get reproducible commands, Bash-first workflows, and distro-agnostic install instructions for apt, dnf, and zypper.
Why “AI + Wireshark” is worth your time
Scale: Modern networks produce more packets than humans can eyeball. AI helps surface the 1–2% of flows worth a human’s time.
Pattern-agnostic: Signature-based detection misses novel behaviors. Unsupervised ML can spotlight statistically rare flows.
Bash-friendly: You don’t need an LLM farm. A few TShark fields + a small Python model = quick, local triage you can automate.
Prerequisites and installation
We’ll use:
Wireshark/TShark (capture, parse, export fields)
jq (optional, for JSON processing if you prefer -T json)
Python 3 + pip/venv (for ML)
Optional: set non-root capture privileges
Install the tools with your package manager:
Debian/Ubuntu (apt):
sudo apt update sudo apt install -y wireshark tshark jq python3 python3-pip python3-venvOptional (non-root capture):
sudo dpkg-reconfigure wireshark-common sudo usermod -aG wireshark $USER newgrp wiresharkFedora/RHEL/CentOS Stream (dnf):
sudo dnf install -y wireshark wireshark-cli jq python3 python3-pip python3-virtualenvOptional (non-root capture):
sudo usermod -aG wireshark $USER newgrp wiresharkopenSUSE (zypper):
sudo zypper install -y wireshark wireshark-cli jq python3 python3-pip python3-virtualenvOptional (non-root capture):
sudo usermod -aG wireshark $USER newgrp wireshark
Set up a Python virtual environment and install ML libraries:
python3 -m venv ~/.venvs/pcap-ai
source ~/.venvs/pcap-ai/bin/activate
pip install --upgrade pip
pip install pandas scikit-learn numpy
Note: Wheels for scikit-learn are widely available on x86_64; if your platform builds from source, ensure you have basic build tools installed.
Core workflow: 4 actionable steps
1) Capture a sample (or use an existing pcap)
Live capture for 60 seconds to a file:
sudo tshark -i eth0 -a duration:60 -w capture.pcapngReplace eth0 with your interface (list with
tshark -D).Or point to an existing pcap/pcapng:
ls -lh *.pcap*
Privacy note: Only capture where you’re authorized. Mask/sanitize data for testing.
2) Export per-packet fields with TShark (CSV)
We’ll extract just enough features for flow-level ML. This command exports timestamps, IP endpoints, protocols, TCP/UDP ports, and packet sizes.
tshark -r capture.pcapng \
-T fields \
-e frame.time_epoch -e ip.src -e ip.dst -e ip.proto \
-e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport \
-e frame.len \
-E header=y -E separator=, -E quote=d > packets.csv
Tip: To discover field names, try:
tshark -G fields | grep -E '(^frame\.len$|^ip\.src$|^udp\.srcport$|^tcp\.srcport$)'
Optional (JSON export + jq):
tshark -r capture.pcapng -T json > packets.json
jq '.[]._source.layers | {time: .frame["frame.time_epoch"], src: .ip["ip.src"], dst: .ip["ip.dst"], proto: .ip["ip.proto"]}' packets.json | head
3) Run an AI-powered anomaly detector on flows
We’ll aggregate packets into 5‑tuple flows, engineer a few simple features (packet count, total bytes, duration, pps, bps), and run Isolation Forest to flag outliers.
Save this as ai_flow_anomaly.py:
#!/usr/bin/env python3
import pandas as pd
import numpy as np
from sklearn.ensemble import IsolationForest
import argparse
parser = argparse.ArgumentParser()
parser.add_argument("-i", "--input", required=True, help="CSV exported from tshark")
parser.add_argument("-o", "--out", default="ai_suspicious_flows.csv")
args = parser.parse_args()
df = pd.read_csv(args.input)
# Ensure UDP/TCP columns exist even if not present
for col in ["tcp.srcport","tcp.dstport","udp.srcport","udp.dstport"]:
if col not in df.columns:
df[col] = np.nan
# Prefer TCP ports; fallback to UDP
df["sport"] = df["tcp.srcport"].fillna(df.get("udp.srcport"))
df["dport"] = df["tcp.dstport"].fillna(df.get("udp.dstport"))
# Types
df["frame.time_epoch"] = pd.to_numeric(df["frame.time_epoch"], errors="coerce")
df["frame.len"] = pd.to_numeric(df["frame.len"], errors="coerce")
df["sport"] = pd.to_numeric(df["sport"], errors="coerce").fillna(0).astype(int)
df["dport"] = pd.to_numeric(df["dport"], errors="coerce").fillna(0).astype(int)
df["ip.proto"] = pd.to_numeric(df["ip.proto"], errors="coerce").fillna(0).astype(int)
# Drop rows missing core data
df = df.dropna(subset=["frame.time_epoch","frame.len","ip.src","ip.dst"])
key_cols = ["ip.src","ip.dst","ip.proto","sport","dport"]
g = df.groupby(key_cols)
agg = g.agg(
pkt_count=("frame.len","count"),
bytes_total=("frame.len","sum"),
bytes_mean=("frame.len","mean"),
t_first=("frame.time_epoch","min"),
t_last=("frame.time_epoch","max"),
)
agg["duration"] = np.maximum(agg["t_last"] - agg["t_first"], 1e-3)
agg["pps"] = agg["pkt_count"] / agg["duration"]
agg["bps"] = agg["bytes_total"] / agg["duration"]
features = agg[["pkt_count","bytes_total","bytes_mean","duration","pps","bps"]].replace([np.inf,-np.inf], np.nan).fillna(0)
model = IsolationForest(n_estimators=300, contamination=0.02, random_state=42)
model.fit(features)
scores = model.decision_function(features) # higher => more normal
agg["anomaly_score"] = -scores # higher => more anomalous
agg["is_anomaly"] = agg["anomaly_score"] > np.quantile(agg["anomaly_score"], 0.98)
out = agg.sort_values("anomaly_score", ascending=False).reset_index()
out.to_csv(args.out, index=False)
print("Top 10 suspicious flows:")
print(out.loc[:9, ["ip.src","ip.dst","ip.proto","sport","dport","pkt_count","bytes_total","pps","bps","anomaly_score"]].to_string(index=False))
print(f"\nSaved results to {args.out}")
Run it:
source ~/.venvs/pcap-ai/bin/activate
python3 ai_flow_anomaly.py -i packets.csv -o ai_suspicious_flows.csv
You’ll get a ranked list of suspicious flows and a CSV you can sort/filter further.
What this buys you:
“What’s odd?” answered in seconds
A short list of 5‑tuples to pivot on in Wireshark/TShark
Repeatable scoring you can baseline across time or hosts
4) Pivot back into TShark/Wireshark for deep inspection
Take a flagged flow and filter your capture to just that conversation. For example, if the model flags:
src: 10.0.2.15
dst: 203.0.113.55
proto: TCP (6)
sport: 54321
dport: 8080
Filter in TShark:
tshark -r capture.pcapng -Y "ip.src==10.0.2.15 && ip.dst==203.0.113.55 && tcp && tcp.srcport==54321 && tcp.dstport==8080" -V | less
Open the same filter in Wireshark (GUI):
- Display filter:
ip.src==10.0.2.15 && ip.dst==203.0.113.55 && tcp.srcport==54321 && tcp.dstport==8080
Additional useful pivots:
Suspect SYN scans:
tshark -r capture.pcapng -Y "tcp.flags.syn==1 && tcp.flags.ack==0" -T fields -e ip.src -e tcp.dstport | sort | uniq -c | sort -nr | headTLS SNI outliers (odd domains during handshake):
tshark -r capture.pcapng -Y "tls.handshake.extensions_server_name" \ -T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name \ | awk '{print tolower($0)}' | sort | uniq -c | sort -nr | headDNS query spikes (possible exfil via DNS):
tshark -r capture.pcapng -Y "dns.flags.response==0" -T fields -e ip.src -e dns.qry.name \ | awk '{print tolower($0)}' | cut -d' ' -f1 | sort | uniq -c | sort -nr | head
Real-world mini-scenarios (what “AI + TShark” can catch fast)
Abnormal data rates: A workstation pushing unusually high bps/pps to a rare external IP (potential exfil or C2).
Beaconing: Short, periodic flows to a fixed host every N seconds (C2 heartbeat). The model often flags very consistent pps with tiny durations.
DNS tunneling telltales: Many small packets, high pkt_count to port 53 with long or random-looking qnames. Combine model results with a quick DNS pivot as above.
Automate it: One-liner triage script
Drop this into ai-nettriage.sh to capture, export, score, and print top flows in one go:
#!/usr/bin/env bash
set -euo pipefail
IFACE="${1:-eth0}"
DUR="${2:-60}"
OUTDIR="${3:-./ai-captures}"
mkdir -p "$OUTDIR"
STAMP="$(date +%Y%m%d-%H%M%S)"
PCAP="$OUTDIR/cap-$STAMP.pcapng"
CSV="$OUTDIR/packets-$STAMP.csv"
RESULTS="$OUTDIR/ai-flows-$STAMP.csv"
echo "[*] Capturing $DUR seconds on $IFACE -> $PCAP"
sudo tshark -i "$IFACE" -a "duration:$DUR" -w "$PCAP"
echo "[*] Exporting packet fields -> $CSV"
tshark -r "$PCAP" \
-T fields \
-e frame.time_epoch -e ip.src -e ip.dst -e ip.proto \
-e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport \
-e frame.len \
-E header=y -E separator=, -E quote=d > "$CSV"
echo "[*] Running anomaly detector"
python3 ai_flow_anomaly.py -i "$CSV" -o "$RESULTS"
echo "[*] Top suspicious flows (see $RESULTS for full report)"
tail -n +2 "$RESULTS" | head -10
Make it executable and run:
chmod +x ai-nettriage.sh
./ai-nettriage.sh eth0 45
Tips, guardrails, and next steps
Calibrate contamination: If your environment is noisy, change
contamination=0.02to fit your false positive tolerance.Baseline by host/segment: Train/score per subnet or per host type (workstation vs server) for better signal.
Ethics and privacy: Only capture on networks you own/manage; redact outputs when sharing.
Extend features: Add TLS JA3/JA3S hashes, DNS entropy, or TCP flag ratios for stronger models.
CI for pcaps: Schedule this over rotating captures and alert on new anomalies.
Conclusion / Call to Action
AI doesn’t replace your packet-fu; it supercharges it. By exporting a handful of TShark fields and running a tiny local model, you turn “pcap overwhelm” into a shortlist of leads—right from Bash. Try this on your last incident pcap or a fresh 60‑second capture, pivot the top 3 flagged flows in Wireshark, and see how much faster you land on meaningful evidence.
Your next step:
Install the prerequisites with apt/dnf/zypper
Run the 4-step workflow above on a sample capture
Iterate: tune contamination, add features, and automate with ai-nettriage.sh
If this sped up your triage, share your tweaks or feature ideas with your team—small, open tools stitched together on Linux can punch far above their weight.