tshark for automation (cmd line wireshark - faster)
$ tshark -q -z conv,ip -r <file>.pcapng | tr -s ' ' | cut -d " " -f 1,2,3,10 | sort -k 4 -rn | head
$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | rev | cut -d '.' -f 1-2 | rev | sort | uniq -c | sort -rn | head -10
$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | head -4
$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | rev | head -4
$ tshark -r <file>.pcapng -T fields -e [dns.qry.name](<http://dns.qry.name>) | sort | uniq | rev | cut -d '.' -f 1-2 | rev | head -10
tcpdump and windump
# Strange services/ports [image]
$ cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service orig_ip_bytes resp_ip_bytes
# Unique user agents
$ cat <log>.log | zeek-cut user_agent | sort | uniq -c | sort
# Self signed certs
$ cat ssl* | zeek-cut id.orig_h id.resp_h id.resp_p validation_status | grep 'self signed' | sort | uniq
R-base
Datamash