Physical attacks
Mobile Apps Pentesting

Pcaps analysis

Start searching for malware inside the pcap. Use the tools mentioned in Malware Analysis.

A note about PCAP vs PCAPNG: there are two versions of the PCAP file format; PCAPNG is newer and not supported by all tools. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.

Online tools for pcaps

Basic Statistics


capinfos capture.pcap


Inside wireshark you can see different statistics that could be useful. Some interesting http filters:

If you want to search for content inside the packets of the sessions press CTRL+f You can add new layers to the main information bar (No., Time, Source...) pressing right bottom and Edit Column

Some WireShark tricks here.


Install and setup

apt-get install suricata
apt-get install oinkmaster
echo "url =" >> /etc/oinkmaster.conf
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Check pcap

suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log


If you are looking for something inside the pcap you can use ngrep. And example using the main filters:

ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"

Xplico Framework

Xplico can analyze a pcap and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.


sudo bash -c 'echo "deb $(lsb_release -s -c) main" /etc/apt/sources.list'
sudo apt-key adv --keyserver --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico


/etc/init.d/apache2 restart
/etc/init.d/xplico start

Access to with credentials xplico:xplico

Then create a new case, create a new session inside the case and upload the pcap file.


Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download here.

Other pcap analysis tricks