Analyzing PCAPs with Claude Code
One of the most practical use cases for Claude Code in security work is rapid PCAP triage. In this post I'll walk through a live session where I asked Claude to analyze a DoublePulsar capture, extract IOCs, and summarize the activity — all from a single prompt. The Prompt analyse the /home/demo/7-DoublePulsar.pcap file, extract any IOCs, present a summary of the activity How Claude Approached It Claude Code located the file at /home/igor/demo/7-DoublePulsar.pcap and ran a series of tshark commands to build up a picture of the traffic: IP conversation summary — identified the two hosts and total frame counts Protocol hierarchy — discovered SMB, NBSS, DCE/RPC, LLMNR, and NBNS Frame-by-frame analysis — traced the full attack sequence from port scan to exploitation attempt SMB/445 filter — isolated the exploitation traffic and SMB command sequence MAC and hostname extraction — pulled NetBIOS names and ARP-derived MACs DoublePulsar fingerprint check ...