For an IT 566 forensics assignment, I wrote a Wireshark plugin known as TCPdShark. It is a variation of TCPdSTAT. I have tweaked it to search for network abnormalities that would reflect an intrusion or attack as well as provide a baseline reading for network administrators that want to be able to quickly and painlessly analyse key protocols and their statistics.
To install this plugin, drop the LUA file in C:\Program Files\Wireshark\plugins\1.8.6\
I have not tested the script with any other platform or architecture. Please let me know if it does or does not work for you.
- Specifically tuned for offline analysis.
- Analyzes entire capture and specifically looks for abnormalities with SSH, IRC, TELNET, HTTP, ARP, FTP, ICMP, SMTP.
- Highly configurable and customizable.
- Programmed in LUA.
- Dialogue Boxes for tweaking default thresholds on a protocol basis at start up.
Current version: 1.0.0
Current Version: 1.1.0
Edit: As of 29 Aug 2014 TCPdShark is now at version 1.1.0 and has had some bug fixes implemented thanks to the good work of Grant and Team!
Script can be downloaded Here.