SOC analysts are familiar with Wireshark and all of it's capabilities but are often at a roadblock when the pcap is relatively large. My tool, PacketSifter, and the open-source tool TShark will enable analysts to jump over that hurdle and learn to analyze pcaps on the command line!

Gone are the days of opening a large pcap in Wireshark and waiting two days for Wireshark to parse and load the pcap. PacketSifter will carve out noteworthy traffic as well as provide enrichment capabilities with GeoIP lookups via AbuseIPDB and hash lookups via VirusTotal.

This talk will demo PacketSifter as well as introduce TShark to continue on with the output files provided by PacketSifter.