Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation, PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionanalyzing-network-traffic-for-incidentsExecute the skills CLI command in your project's root directory to begin installation:
Fetches analyzing-network-traffic-for-incidents from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate analyzing-network-traffic-for-incidents. Access via /analyzing-network-traffic-for-incidents in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
2
total installs
2
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
2
installs
2
this week
8.6K
stars
| name | analyzing-network-traffic-for-incidents |
| description | 'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation, PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection. ' |
| domain | cybersecurity |
| subdomain | incident-response |
| tags | - network-forensics - PCAP-analysis - Wireshark - Zeek - traffic-analysis |
| mitre_attack | - T1071 - T1095 - T1573 - T1572 |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - RS.MA-01 - RS.MA-02 - RS.AN-03 - RC.RP-01 |
Do not use for host-based forensic analysis (process execution, file system artifacts); use endpoint forensics tools instead.
Obtain the relevant traffic data for the investigation:
Live Capture (if incident is active):
# Capture on specific interface filtering by host
tcpdump -i eth0 -w capture.pcap host 10.1.5.42
# Capture C2 traffic to specific external IP
tcpdump -i eth0 -w c2_traffic.pcap host 185.220.101.42
# Capture with rotation (1GB files, keep 10)
tcpdump -i eth0 -w capture_%Y%m%d%H%M.pcap -C 1000 -W 10
From Existing Infrastructure:
Detect command-and-control traffic patterns:
Beaconing Detection (Zeek conn.log):
# Extract connections to external IPs with regular intervals
cat conn.log | zeek-cut ts id.orig_h id.resp_h id.resp_p duration orig_bytes resp_bytes \
| awk '$4 ~ /^185\.220/' | sort -t. -k1,1n -k2,2n
Wireshark Beacon Analysis:
# Filter for traffic to suspected C2 IP
ip.addr == 185.220.101.42
# Filter HTTPS traffic to non-standard ports
tcp.port != 443 && ssl
# Filter DNS queries for suspicious domains
dns.qry.name contains "evil" or dns.qry.name matches "^[a-z0-9]{32}\."
# Filter HTTP POST (common C2 check-in method)
http.request.method == "POST" && ip.dst == 185.220.101.42
Beaconing characteristics to identify:
Trace adversary movement between internal systems:
Key protocols for lateral movement detection:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SMB (TCP 445): PsExec, file share access, ransomware propagation
RDP (TCP 3389): Remote desktop sessions
WinRM (TCP 5985): PowerShell remoting
WMI (TCP 135): Remote command execution
SSH (TCP 22): Linux lateral movement
DCE/RPC (TCP 135): DCOM-based lateral movement
Wireshark Filters for Lateral Movement:
# SMB lateral movement
smb2 && ip.src == 10.1.5.42 && ip.dst != 10.1.5.42
# RDP connections from compromised host
tcp.dstport == 3389 && ip.src == 10.1.5.42
# Kerberos ticket requests (potential pass-the-ticket)
kerberos.msg_type == 12 && ip.src == 10.1.5.42
# NTLM authentication (potential pass-the-hash)
ntlmssp.auth.username && ip.src == 10.1.5.42
Identify unauthorized data transfers leaving the network:
# Identify large outbound transfers in Zeek conn.log
cat conn.log | zeek-cut ts id.orig_h id.resp_h id.resp_p orig_bytes \
| awk '$5 > 100000000' | sort -t$'\t' -k5 -rn
# DNS tunneling detection (high volume of TXT queries)
cat dns.log | zeek-cut query qtype | grep TXT | cut -f1 \
| rev | cut -d. -f1,2 | rev | sort | uniq -c | sort -rn | head
# Unusual protocol usage (ICMP tunneling, DNS over HTTPS)
cat conn.log | zeek-cut proto id.resp_p orig_bytes | awk '$1 == "icmp" && $3 > 1000'
Wireshark Exfiltration Filters:
# Large HTTP POST uploads
http.request.method == "POST" && tcp.len > 10000
# FTP data transfers
ftp-data && ip.src == 10.0.0.0/8
# DNS with large TXT responses (tunneling)
dns.resp.type == 16 && dns.resp.len > 200
Pull network-based indicators from traffic analysis:
Compile analysis into a structured report with evidence references:
| Term | Definition |
|---|---|
| PCAP (Packet Capture) | File format storing raw network packets captured from a network interface for offline analysis |
| Beaconing | Regular, periodic network connections from a compromised host to a C2 server, identifiable by consistent timing intervals |
| JA3/JA3S | TLS client and server fingerprinting method based on the ClientHello and ServerHello parameters; unique per application |
| NetFlow/IPFIX | Network traffic metadata (source, destination, ports, bytes, duration) collected by routers and switches without full packet capture |
| DNS Tunneling | Technique encoding data in DNS queries and responses to exfiltrate data or maintain C2 through DNS protocol |
| Network Tap | Hardware device that creates an exact copy of network traffic for monitoring without impacting network performance |
| Zeek Logs | Structured metadata logs generated by the Zeek network analysis framework covering connections, DNS, HTTP, SSL, and more |
Context: EDR detects a suspicious process on a workstation but cannot determine the volume of data exfiltrated. Network team provides PCAP from the full packet capture appliance covering the incident timeframe.
Approach:
Pitfalls:
NETWORK TRAFFIC ANALYSIS REPORT
=================================
Incident: INC-2025-1547
Analyst: [Name]
Capture Source: Arkime full packet capture
Analysis Period: 2025-11-15 14:00 UTC - 2025-11-15 18:00 UTC
Total PCAP Size: 4.7 GB
C2 COMMUNICATIONS
Source: 10.1.5.42 (WKSTN-042)
Destination: 185.220.101.42:443 (HTTPS)
Beacon Interval: 60 seconds ± 12% jitter
Sessions: 237 connections over 4 hours
JA3 Hash: a0e9f5d64349fb13191bc781f81f42e1
TLS Certificate: CN=update.evil[.]com (self-signed)
Total Data Sent: 147 MB (outbound)
Total Data Recv: 2.3 MB (inbound - commands)
LATERAL MOVEMENT
10.1.5.42 → 10.1.10.15 (SMB, TCP 445) - 14:35 UTC
10.1.5.42 → 10.1.10.20 (RDP, TCP 3389) - 14:42 UTC
10.1.5.42 → 10.1.1.5 (LDAP, TCP 389) - 15:10 UTC
EXFILTRATION SUMMARY
Protocol: HTTPS to C2 server
Volume: 147 MB outbound
Duration: 14:23 UTC - 18:00 UTC
Files Extracted: [list if recoverable from unencrypted channels]
DNS ANALYSIS
Suspicious Queries: 0 DNS tunneling indicators
DGA Detection: 0 algorithmically generated domains
EVIDENCE REFERENCES
PCAP File: INC-2025-1547_capture.pcap (SHA-256: ...)
Zeek Logs: /logs/zeek/2025-11-15/ (conn.log, ssl.log, dns.log)
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
analyzing-network-traffic-for-incidents reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: analyzing-network-traffic-for-incidents is the kind of skill you can hand to a new teammate without a long onboarding doc.
analyzing-network-traffic-for-incidents is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Keeps context tight: analyzing-network-traffic-for-incidents is the kind of skill you can hand to a new teammate without a long onboarding doc.
analyzing-network-traffic-for-incidents has been reliable in day-to-day use. Documentation quality is above average for community skills.
Registry listing for analyzing-network-traffic-for-incidents matched our evaluation — installs cleanly and behaves as described in the markdown.
analyzing-network-traffic-for-incidents fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
analyzing-network-traffic-for-incidents is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for analyzing-network-traffic-for-incidents matched our evaluation — installs cleanly and behaves as described in the markdown.
analyzing-network-traffic-for-incidents reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 55