Start searching for malware inside the pcap. Use the tools mentioned in Malware Analysis.
A note about PCAP vs PCAPNG: there are two versions of the PCAP file format; PCAPNG is newer and not supported by all tools. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
If the header of your pcap is broken you should try to fix it using: http://f00l.de/hacking/pcapfix.php
Extract information and search for malware inside a pcap in PacketTotal
You can find more Wireshark trick in:
apt-get install suricataapt-get install oinkmasterecho "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.confoinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
If you are looking for something inside the pcap you can use ngrep. And example using the main filters:
ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
Xplico can analyze a pcap and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CEsudo apt-get updatesudo apt-get install xplico
/etc/init.d/apache2 restart/etc/init.d/xplico start
Access to 127.0.0.1:9876 with credentials xplico:xplico
Then create a new case, create a new session inside the case and upload the pcap file.
Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download here.
Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
Build visual network diagram (Network nodes & users)
Extract DNS queries
Reconstruct all TCP & UDP Sessions