Wireshark Command Line Tools

Everyone knows Wireshark's GUI. Almost nobody knows what's hiding in its command line. In this hands-on session, SANS instructor and SEC503 author Andy Laman walks through the Wireshark command line toolkit that most analysts have never explored — and shows exactly why these tools belong in every network analyst's workflow. Tools covered in this session: CapType — quickly identify packet capture file formats CapInfos — get file size, packet count, and timestamps before you ever open a file EditCap — slice large PCAPs by packet count, time interval, or exact timestamp; adjust and align timestamps across mismatched sensors ReorderCap — fix out-of-order packets in merged captures MergeCap — combine multiple PCAPs and pipe directly to TShark without writing to disk TShark — Wireshark's full-featured CLI counterpart; follow streams, filter fields, run protocol hierarchy stats, and extract specific data at scale Text2PCAP — convert base64-encoded packet data (like Suricata alerts) directly into PCAP files for Wireshark analysis Real-world use cases include: proving SMB 3.1.1 compliance for auditors, decoding DNS-over-HTTPS queries, analyzing 1.8 million packet captures without crashing Wireshark, and extracting packets from SIEM signature alerts. If you spend any time doing network analysis and you're still doing everything through the GUI — this talk will change how you work. 🌐 SANS SEC503: Network Monitoring and Threat Detection In-Depth — https://go.sans.org/QVSVQ3