Motivation: I wanted to combine 2 or more packet capture, or pcap, files in order to create an example:
- One that contains just malicious (or simulated malicious) network traffic
- Another contains legitimate, non-malicious network traffic
Many example packet capture files focus either specifically on malware, exploits, C2 traffic, etc. (like Security Onion’s list of PCAPs for Testing) or on examples of legitimate traffic (like Wireshark’s Sample Captures). I wanted to create an example that would interweave such sources and intersperse malicious and legitimate traffic, as they would typically occur concurrently.
In addition to tcpdump, there are three CLI tools provided by Wireshark that I used to help accomplish this: