How does the skill identify C2 beaconing?

The skill analyzes connection intervals and jitter percentages between endpoints; low jitter and consistent timing often indicate automated Command and Control communication.

Does this skill monitor encrypted traffic?

The skill analyzes TLS metadata and certificate anomalies to flag suspicious encrypted connections, though it does not decrypt the traffic itself.

What are the technical requirements to run this skill?

You need Python 3.8 or higher, the 'requests' library, and network access to an Arkime viewer instance with valid API credentials.

Can I download PCAP files for offline analysis?

Yes, the skill includes functionality to download PCAP data via the Arkime API, allowing for more granular inspection in tools like Wireshark.

What is Arkime used for in this skill?

Arkime (formerly Moloch) is utilized to capture, index, and search full packet data, providing the underlying data source for the skill's traffic analysis and threat detection capabilities.

Network Traffic Analysis with Arkime

Name: Network Traffic Analysis with Arkime
Author: micsapp

bymicsapp

0•

Security & Testing

Deploys and queries Arkime to perform full packet capture analysis, detect C2 beaconing, and identify suspicious network flows.

This skill empowers users to leverage Arkime (formerly Moloch) for comprehensive network traffic analysis and forensic investigation within the Claude Code environment. By utilizing the Arkime API v3, it facilitates automated session searching, PCAP data retrieval, and advanced detection of Command and Control (C2) beaconing patterns through interval and jitter analysis. It is an essential tool for security teams needing to monitor DNS queries, HTTP traffic, and TLS certificate anomalies to maintain high-fidelity visibility and identify potential threats across their network infrastructure.

Key Features

01Analysis of DNS tunneling through query length and frequency monitoring

02Streamlined PCAP data downloading for deep forensic analysis

03Automated querying of Arkime sessions via IP, port, and protocol expressions

040 GitHub stars

05Identification of suspicious TLS certificates and anomalous HTTP traffic flows

06Heuristic-based C2 beaconing detection using interval and jitter statistics

Use Cases

01Proactive threat hunting for persistent malware communication in enterprise networks

02Conducting rapid incident response and network forensic investigations

03Building automated security architecture for compliance-driven traffic monitoring

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills implementing-network-traffic-analysis-with-arkime

For use in Claude.ai and ChatGPT

Key Features

01Analysis of DNS tunneling through query length and frequency monitoring

02Streamlined PCAP data downloading for deep forensic analysis

03Automated querying of Arkime sessions via IP, port, and protocol expressions

040 GitHub stars

05Identification of suspicious TLS certificates and anomalous HTTP traffic flows

06Heuristic-based C2 beaconing detection using interval and jitter statistics

Use Cases

01Proactive threat hunting for persistent malware communication in enterprise networks

02Conducting rapid incident response and network forensic investigations

03Building automated security architecture for compliance-driven traffic monitoring

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills implementing-network-traffic-analysis-with-arkime

For use in Claude.ai and ChatGPT