Posted on
Artificial Intelligence

Artificial Intelligence Wireshark Analysis

Author
  • User
    linuxbash
    Posts by this author
    Posts by this author

Artificial Intelligence Wireshark Analysis: Turn PCAP Overwhelm into Fast, Actionable Insights (from Bash)

Ever opened a multi‑gigabyte pcap and felt that sinking “where do I even start?” feeling? Wireshark is phenomenal for deep dives, but incident responders and sysadmins often need triage first: What’s weird? Which flows deserve attention? That’s where a pinch of AI—applied right from your Linux terminal—can dramatically narrow the search space before you even click the shark fin.

In this guide, we’ll combine Wireshark/TShark with lightweight machine learning to:

  • Export structured features from packet captures

  • Detect anomalous flows using a simple Isolation Forest model

  • Pivot back into Wireshark/TShark with precise filters for rapid investigation

You’ll get reproducible commands, Bash-first workflows, and distro-agnostic install instructions for apt, dnf, and zypper.

Why “AI + Wireshark” is worth your time

  • Scale: Modern networks produce more packets than humans can eyeball. AI helps surface the 1–2% of flows worth a human’s time.

  • Pattern-agnostic: Signature-based detection misses novel behaviors. Unsupervised ML can spotlight statistically rare flows.

  • Bash-friendly: You don’t need an LLM farm. A few TShark fields + a small Python model = quick, local triage you can automate.

Prerequisites and installation

We’ll use:

  • Wireshark/TShark (capture, parse, export fields)

  • jq (optional, for JSON processing if you prefer -T json)

  • Python 3 + pip/venv (for ML)

  • Optional: set non-root capture privileges

Install the tools with your package manager:

  • Debian/Ubuntu (apt):

    sudo apt update
    sudo apt install -y wireshark tshark jq python3 python3-pip python3-venv
    

    Optional (non-root capture):

    sudo dpkg-reconfigure wireshark-common
    sudo usermod -aG wireshark $USER
    newgrp wireshark
    
  • Fedora/RHEL/CentOS Stream (dnf):

    sudo dnf install -y wireshark wireshark-cli jq python3 python3-pip python3-virtualenv
    

    Optional (non-root capture):

    sudo usermod -aG wireshark $USER
    newgrp wireshark
    
  • openSUSE (zypper):

    sudo zypper install -y wireshark wireshark-cli jq python3 python3-pip python3-virtualenv
    

    Optional (non-root capture):

    sudo usermod -aG wireshark $USER
    newgrp wireshark
    

Set up a Python virtual environment and install ML libraries:

python3 -m venv ~/.venvs/pcap-ai
source ~/.venvs/pcap-ai/bin/activate
pip install --upgrade pip
pip install pandas scikit-learn numpy

Note: Wheels for scikit-learn are widely available on x86_64; if your platform builds from source, ensure you have basic build tools installed.

Core workflow: 4 actionable steps

1) Capture a sample (or use an existing pcap)

  • Live capture for 60 seconds to a file:

    sudo tshark -i eth0 -a duration:60 -w capture.pcapng
    

    Replace eth0 with your interface (list with tshark -D).

  • Or point to an existing pcap/pcapng:

    ls -lh *.pcap*
    

Privacy note: Only capture where you’re authorized. Mask/sanitize data for testing.

2) Export per-packet fields with TShark (CSV)

We’ll extract just enough features for flow-level ML. This command exports timestamps, IP endpoints, protocols, TCP/UDP ports, and packet sizes.

tshark -r capture.pcapng \
  -T fields \
  -e frame.time_epoch -e ip.src -e ip.dst -e ip.proto \
  -e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport \
  -e frame.len \
  -E header=y -E separator=, -E quote=d > packets.csv

Tip: To discover field names, try:

tshark -G fields | grep -E '(^frame\.len$|^ip\.src$|^udp\.srcport$|^tcp\.srcport$)'

Optional (JSON export + jq):

tshark -r capture.pcapng -T json > packets.json
jq '.[]._source.layers | {time: .frame["frame.time_epoch"], src: .ip["ip.src"], dst: .ip["ip.dst"], proto: .ip["ip.proto"]}' packets.json | head

3) Run an AI-powered anomaly detector on flows

We’ll aggregate packets into 5‑tuple flows, engineer a few simple features (packet count, total bytes, duration, pps, bps), and run Isolation Forest to flag outliers.

Save this as ai_flow_anomaly.py:

#!/usr/bin/env python3
import pandas as pd
import numpy as np
from sklearn.ensemble import IsolationForest
import argparse

parser = argparse.ArgumentParser()
parser.add_argument("-i", "--input", required=True, help="CSV exported from tshark")
parser.add_argument("-o", "--out", default="ai_suspicious_flows.csv")
args = parser.parse_args()

df = pd.read_csv(args.input)

# Ensure UDP/TCP columns exist even if not present
for col in ["tcp.srcport","tcp.dstport","udp.srcport","udp.dstport"]:
    if col not in df.columns:
        df[col] = np.nan

# Prefer TCP ports; fallback to UDP
df["sport"] = df["tcp.srcport"].fillna(df.get("udp.srcport"))
df["dport"] = df["tcp.dstport"].fillna(df.get("udp.dstport"))

# Types
df["frame.time_epoch"] = pd.to_numeric(df["frame.time_epoch"], errors="coerce")
df["frame.len"] = pd.to_numeric(df["frame.len"], errors="coerce")
df["sport"] = pd.to_numeric(df["sport"], errors="coerce").fillna(0).astype(int)
df["dport"] = pd.to_numeric(df["dport"], errors="coerce").fillna(0).astype(int)
df["ip.proto"] = pd.to_numeric(df["ip.proto"], errors="coerce").fillna(0).astype(int)

# Drop rows missing core data
df = df.dropna(subset=["frame.time_epoch","frame.len","ip.src","ip.dst"])

key_cols = ["ip.src","ip.dst","ip.proto","sport","dport"]
g = df.groupby(key_cols)

agg = g.agg(
    pkt_count=("frame.len","count"),
    bytes_total=("frame.len","sum"),
    bytes_mean=("frame.len","mean"),
    t_first=("frame.time_epoch","min"),
    t_last=("frame.time_epoch","max"),
)

agg["duration"] = np.maximum(agg["t_last"] - agg["t_first"], 1e-3)
agg["pps"] = agg["pkt_count"] / agg["duration"]
agg["bps"] = agg["bytes_total"] / agg["duration"]

features = agg[["pkt_count","bytes_total","bytes_mean","duration","pps","bps"]].replace([np.inf,-np.inf], np.nan).fillna(0)

model = IsolationForest(n_estimators=300, contamination=0.02, random_state=42)
model.fit(features)
scores = model.decision_function(features)  # higher => more normal
agg["anomaly_score"] = -scores              # higher => more anomalous
agg["is_anomaly"] = agg["anomaly_score"] > np.quantile(agg["anomaly_score"], 0.98)

out = agg.sort_values("anomaly_score", ascending=False).reset_index()
out.to_csv(args.out, index=False)

print("Top 10 suspicious flows:")
print(out.loc[:9, ["ip.src","ip.dst","ip.proto","sport","dport","pkt_count","bytes_total","pps","bps","anomaly_score"]].to_string(index=False))
print(f"\nSaved results to {args.out}")

Run it:

source ~/.venvs/pcap-ai/bin/activate
python3 ai_flow_anomaly.py -i packets.csv -o ai_suspicious_flows.csv

You’ll get a ranked list of suspicious flows and a CSV you can sort/filter further.

What this buys you:

  • “What’s odd?” answered in seconds

  • A short list of 5‑tuples to pivot on in Wireshark/TShark

  • Repeatable scoring you can baseline across time or hosts

4) Pivot back into TShark/Wireshark for deep inspection

Take a flagged flow and filter your capture to just that conversation. For example, if the model flags:

  • src: 10.0.2.15

  • dst: 203.0.113.55

  • proto: TCP (6)

  • sport: 54321

  • dport: 8080

Filter in TShark:

tshark -r capture.pcapng -Y "ip.src==10.0.2.15 && ip.dst==203.0.113.55 && tcp && tcp.srcport==54321 && tcp.dstport==8080" -V | less

Open the same filter in Wireshark (GUI):

  • Display filter: ip.src==10.0.2.15 && ip.dst==203.0.113.55 && tcp.srcport==54321 && tcp.dstport==8080

Additional useful pivots:

  • Suspect SYN scans:

    tshark -r capture.pcapng -Y "tcp.flags.syn==1 && tcp.flags.ack==0" -T fields -e ip.src -e tcp.dstport | sort | uniq -c | sort -nr | head
    
  • TLS SNI outliers (odd domains during handshake):

    tshark -r capture.pcapng -Y "tls.handshake.extensions_server_name" \
    -T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name \
    | awk '{print tolower($0)}' | sort | uniq -c | sort -nr | head
    
  • DNS query spikes (possible exfil via DNS):

    tshark -r capture.pcapng -Y "dns.flags.response==0" -T fields -e ip.src -e dns.qry.name \
    | awk '{print tolower($0)}' | cut -d' ' -f1 | sort | uniq -c | sort -nr | head
    

Real-world mini-scenarios (what “AI + TShark” can catch fast)

  • Abnormal data rates: A workstation pushing unusually high bps/pps to a rare external IP (potential exfil or C2).

  • Beaconing: Short, periodic flows to a fixed host every N seconds (C2 heartbeat). The model often flags very consistent pps with tiny durations.

  • DNS tunneling telltales: Many small packets, high pkt_count to port 53 with long or random-looking qnames. Combine model results with a quick DNS pivot as above.

Automate it: One-liner triage script

Drop this into ai-nettriage.sh to capture, export, score, and print top flows in one go:

#!/usr/bin/env bash
set -euo pipefail

IFACE="${1:-eth0}"
DUR="${2:-60}"
OUTDIR="${3:-./ai-captures}"
mkdir -p "$OUTDIR"

STAMP="$(date +%Y%m%d-%H%M%S)"
PCAP="$OUTDIR/cap-$STAMP.pcapng"
CSV="$OUTDIR/packets-$STAMP.csv"
RESULTS="$OUTDIR/ai-flows-$STAMP.csv"

echo "[*] Capturing $DUR seconds on $IFACE -> $PCAP"
sudo tshark -i "$IFACE" -a "duration:$DUR" -w "$PCAP"

echo "[*] Exporting packet fields -> $CSV"
tshark -r "$PCAP" \
  -T fields \
  -e frame.time_epoch -e ip.src -e ip.dst -e ip.proto \
  -e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport \
  -e frame.len \
  -E header=y -E separator=, -E quote=d > "$CSV"

echo "[*] Running anomaly detector"
python3 ai_flow_anomaly.py -i "$CSV" -o "$RESULTS"

echo "[*] Top suspicious flows (see $RESULTS for full report)"
tail -n +2 "$RESULTS" | head -10

Make it executable and run:

chmod +x ai-nettriage.sh
./ai-nettriage.sh eth0 45

Tips, guardrails, and next steps

  • Calibrate contamination: If your environment is noisy, change contamination=0.02 to fit your false positive tolerance.

  • Baseline by host/segment: Train/score per subnet or per host type (workstation vs server) for better signal.

  • Ethics and privacy: Only capture on networks you own/manage; redact outputs when sharing.

  • Extend features: Add TLS JA3/JA3S hashes, DNS entropy, or TCP flag ratios for stronger models.

  • CI for pcaps: Schedule this over rotating captures and alert on new anomalies.

Conclusion / Call to Action

AI doesn’t replace your packet-fu; it supercharges it. By exporting a handful of TShark fields and running a tiny local model, you turn “pcap overwhelm” into a shortlist of leads—right from Bash. Try this on your last incident pcap or a fresh 60‑second capture, pivot the top 3 flagged flows in Wireshark, and see how much faster you land on meaningful evidence.

Your next step:

  • Install the prerequisites with apt/dnf/zypper

  • Run the 4-step workflow above on a sample capture

  • Iterate: tune contamination, add features, and automate with ai-nettriage.sh

If this sped up your triage, share your tweaks or feature ideas with your team—small, open tools stitched together on Linux can punch far above their weight.