Episode Details

Back to Episodes
Course 6 - Network Traffic Analysis for Incident Response | Episode 3: Wireshark Alternatives: Network Miner, Terminal Shark, and CloudShark

Course 6 - Network Traffic Analysis for Incident Response | Episode 3: Wireshark Alternatives: Network Miner, Terminal Shark, and CloudShark

Published 6 months, 1 week ago
Description
In this lesson, you’ll learn about:
  • Three powerful alternatives to Wireshark that expand your capabilities in network traffic analysis.
  • How to use Network Miner for passive intelligence, T-shark for automation, and CloudShark for collaborative, web-based analysis.
  • When and why each tool is more effective than Wireshark in specific scenarios.
Network Miner — Passive Data Collection & File Extraction
  • Purpose: A passive network forensics tool excellent for extracting intelligence without actively interfering with traffic.
Key Capabilities
  • Host Intelligence (Auto-Recon):
    • Automatically breaks traffic down by host.
    • Extracts IP/MAC, hostnames, OS fingerprints (e.g., Red Hat Linux), NIC vendor, open TCP ports, and even web server banners (e.g., Apache 2.0.40).
    • Provides a detailed, Nmap-like overview without performing any active scans.
  • Data Extraction (File Carving):
    • Automatically pulls files transmitted during the capture (images, documents, etc.).
    • Makes recovery of transferred files extremely easy.
  • Credential Extraction:
    • Effective at pulling credentials from clear-text protocols like:
      • SMTP (usernames and passwords when TLS is not used)
      • HTTP cookies (considered credentials because they allow authentication)
  • Traffic Review Tools:
    • Lists DNS queries for browsing activity.
    • Breaks HTTP and SMTP header fields into searchable tables for instant lookup (e.g., search by user agent).
Terminal Shark (T-shark) — Command-Line Automation
  • Purpose: A command-line version of Wireshark designed for automation, scripting, and large-scale analysis.
Key Capabilities
  • Same Power as Wireshark, but CLI-Based:
    • Uses the same filtering language as Wireshark (e.g., http.request, tcp.port == 80).
    • Ideal for environments without a GUI or for remote analysis over SSH.
  • Automation & Integration:
    • Perfect for batch processing, cron jobs, or running inside scripts.
    • Output can be piped into other tools for threat intel or blacklist checks.
  • Custom Output:
    • Extract specific fields only (e.g., HTTP hostnames, source IPs).
    • Reduces noise and makes threat hunting more efficient.
  • Simple Threat Detection:
    • Analysts can filter important fields and check them against malicious blocklists.
    • Enables lightweight, fast, automated detection workflows.
CloudShark — Web-Based Visualization & Collaboration
  • Purpose: A browser-based network analysis platform similar to Wireshark, designed for team collaboration.
Key Capabilities
  • Collaborative Interface:
    • Apply filters just like in Wireshark.
    • Add comments/annotations directly to packets for team-based investigations.
  • Advanced Visualization Tools:
    • Traffic-over-time graph: Helps analysts zoom into sudden spikes or suspicious bursts.
    • Ladder diagrams: Show packet flow between hosts — extremely useful for understanding sequences like handshakes or attack chains.
    • Bytes-over-time visualization: Helps detect anomalies such as large outbound data spikes (e.g., from SQL injection exfiltration).
  • Interoperability:
    • Upload PCAPs to CloudShark for analysis.
    • Download them again (with or without comments) to continue work in Wireshark.
    • Works as a complementary tool rather than a replacement.
Key Takeaways
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us