Network Traffic Forensics

Professional network forensics and packet analysis for incident response and security investigations.

Install
cmdop skills install agensi-network-traffic-forensics

Network Traffic Forensics is an AI agent skill published by agensi that enables structured, professional-grade network forensic investigations. It accepts packet captures (PCAP), flow records, and outputs from tools such as tshark, Zeek, and Wireshark, then applies a rigorous analytical methodology to reconstruct security incidents.

The skill addresses beaconing detection, lateral movement mapping, and protocol misuse during traffic reconstruction. For metadata analysis, it performs deep inspection of DNS queries, HTTP headers, TLS SNI fields, and certificate chains. From this analysis it generates forensic reporting artifacts including executive summaries, indicator of compromise (IoC) tables, and chronological event timelines. It also supports validation by aligning network evidence with endpoint logs and threat intelligence sources.

A key design goal is forensic rigor: the skill maintains chain of custody discipline, explicitly distinguishes between confirmed facts and working hypotheses, and flags evidence gaps rather than filling them with assumptions. The final output is a forensic dossier containing an evidence inventory, an analyst-grade event timeline, a categorized IoC list, and concrete validation actions suitable for incident response teams.

This skill is appropriate when an agent needs to go beyond generic AI summarization and apply a disciplined, repeatable forensic methodology to network data. It is not a live packet capture tool and does not replace dedicated network monitoring platforms.

Use cases

  • Reconstruct the sequence of events in a suspected intrusion using PCAP files
  • Detect beaconing patterns and map lateral movement across captured network flows
  • Extract and analyze DNS, HTTP header, TLS SNI, and certificate chain metadata from traffic
  • Generate a structured forensic dossier with IoC tables and chronological timelines for IR teams
  • Align network-layer evidence with endpoint logs to validate or refute attack hypotheses
  • Identify data exfiltration attempts within flow records or tool output from Zeek or Wireshark

When to use it

  • An incident response engagement requires structured forensic analysis of captured network traffic
  • An agent needs to process tshark, Zeek, or Wireshark output and produce a reportable forensic artifact
  • Chain-of-custody discipline and fact-versus-hypothesis separation are required for the investigation
  • The workflow demands automated generation of IoC tables, executive summaries, and event timelines

When not to use it

  • Live or real-time packet capture is needed — this skill processes existing captures, not live traffic
  • The investigation requires only endpoint or log-based forensics with no network traffic artifacts
  • A lightweight summary of network activity is all that is needed and forensic rigor is not a requirement
  • No PCAP, flow records, or compatible tool output is available as input