← Home

Packet Capture (PCAP) Analysis

Packet Capture (PCAP) is the process of recording every packet transmitted across a computer network. The resulting .pcap or .pcapng file contains a detailed record of network communications and can be analysed after the event to investigate cybersecurity incidents, troubleshoot communications, validate network configurations, or perform forensic investigations.

In Industrial Control Systems (ICS) and Operational Technology (OT), PCAP analysis provides one of the most valuable sources of evidence because it records exactly what occurred on the network without modifying the control system.

Packet Capture (PCAP) Analysis
Figure – Packet capture records network traffic for troubleshooting, incident response, and forensic analysis.

What is a Packet?

Every communication on an Ethernet network is broken into small pieces called packets.

A packet contains:

Example

PLC --------------------> SCADA

Ethernet
    IP
        TCP
            Modbus
                Read Register 40001

Each layer adds information to the packet.


What is a PCAP File?

A PCAP file is simply a recording of these packets.

Think of it as:

CCTV footage for a computer network.

Unlike log files, PCAP contains the actual network traffic.

A PCAP can show:


Why Capture Packets?

Packet captures are used for:

Troubleshooting

Finding why communications fail.

Examples:

Cybersecurity

Identify:

Incident Response

During an incident investigators need to know:

PCAP provides objective evidence.

Digital Forensics

Packet captures may be used in:


Packet Capture Methods

Packet captures can be collected using:

SPAN Port

Mirror switch traffic to a monitoring computer.

Preferred in industrial environments.

Advantages:

Network TAP

Hardware device placed inline.

Advantages:

Often used for permanent monitoring.

Capture on Endpoint

Using software such as:

Useful for troubleshooting.

OT Monitoring Appliances

Industrial cybersecurity platforms continuously record traffic.

Examples:


PCAP Analysis Workflow

Typical investigation process:

Capture Traffic

↓

Open PCAP

↓

Identify Hosts

↓

Identify Conversations

↓

Identify Protocols

↓

Look for Anomalies

↓

Follow Streams

↓

Extract Files

↓

Create Timeline

↓

Determine Root Cause

Typical Information Extracted

Devices

Communications

Who talked to who?

192.168.1.10

↓

192.168.1.100

TCP 502

(Modbus)

Timing

Determine:

Protocols

Examples:

Credentials

If protocols are unencrypted, examples include:

Passwords may be visible.

Malware

Packet captures often reveal:


Wireshark

Overview

Wireshark is the world's most widely used packet analysis tool. It allows users to inspect every packet individually.

Ideal for:

Main Features

Live Capture

Capture directly from:

Open PCAP Files

Analyse previously captured traffic.

Protocol Decoding

Supports thousands of protocols including industrial protocols.

Examples:

Display Filters

Examples:

Follow Streams

Reconstruct:

Useful for reading conversations.

Statistics

Shows:

Packet Details

Displays:

Every field can be expanded.

Wireshark Strengths

Wireshark Limitations


BruteShark

Overview

BruteShark is an open-source network forensic analysis platform designed to automate investigation of PCAP files. Instead of viewing every packet, it extracts high-value forensic artefacts automatically.

Main Capabilities

Automatically identifies:

Credential Recovery

Can recover:

When transmitted unencrypted.

Session Analysis

Shows:

File Extraction

Extracts transferred:

DNS Analysis

Builds domain relationships. Useful during malware investigations.

Timeline Generation

08:01 Login

↓

08:02 DNS Lookup

↓

08:03 HTTP Download

↓

08:05 SMB Connection

BruteShark Strengths

BruteShark Limitations


NetworkMiner

Overview

NetworkMiner is a Network Forensic Analysis Tool (NFAT). Unlike Wireshark, it reconstructs activity from captured packets automatically. It is designed for forensic investigations.

Key Features

File Extraction

Automatically extracts:

Credential Recovery

Can identify:

Host Discovery

Automatically builds an inventory:

Host

↓

IP

↓

MAC

↓

Hostname

↓

Operating System

↓

Services

Malware Investigation

Excellent for:

NetworkMiner Strengths

NetworkMiner Limitations


Comparison

Feature Wireshark BruteShark NetworkMiner
Live Capture
Open PCAP
Packet-level inspection Excellent Limited Limited
Automatic evidence extraction Basic Excellent Excellent
File extraction Manual Automatic Automatic
Credential recovery Manual Excellent Excellent
Industrial protocol decoding Excellent Limited Limited
Malware investigation Good Excellent Excellent
Troubleshooting PLC communications Excellent Poor Poor
Timeline generation Manual Automatic Automatic
Network forensics Good Excellent Excellent

PCAP Analysis in Industrial Networks

Industrial environments commonly analyse traffic involving:

Typical investigations include:


Best Practices for OT PCAP Analysis


Relationship to IEC 62443

Packet capture and analysis directly support several objectives of the ISA/IEC 62443 series by enabling visibility into industrial communications, validating security controls, detecting abnormal behaviour, and providing forensic evidence following security incidents.

IEC 62443 Area Relationship to PCAP Analysis
Security Monitoring Provides visibility into network communications for anomaly detection and operational awareness.
Incident Response Supplies detailed evidence to reconstruct cyber incidents, identify affected assets, and determine attack timelines.
Risk Assessment Reveals communication paths, exposed services, legacy protocols, and trust relationships that influence risk evaluations.
Security Zones & Conduits Confirms that communications occur only between authorised zones and through approved conduits, supporting network segmentation verification.
Security Program Assists ongoing monitoring, auditing, verification of security controls, and continuous improvement activities.
Threat Detection Identifies scanning, reconnaissance, malware communications, lateral movement, unauthorised remote access, and protocol misuse.
Asset Inventory Helps discover active devices, IP addresses, MAC addresses, and industrial services present on the network.
Security Validation Verifies firewall rules, access control policies, protocol restrictions, and network segmentation operate as intended.
Forensic Readiness Preserves high-quality evidence to support investigations, regulatory reporting, and lessons learned after cybersecurity events.

Key Takeaways


Standards References

Note: The ISA/IEC 62443 standards describe security objectives and required outcomes rather than prescribing specific tools. Wireshark, BruteShark, NetworkMiner, and similar PCAP analysis tools are practical implementations that organisations commonly use to demonstrate compliance, validate security controls, support monitoring, and investigate incidents within an IEC 62443 security program.