The Scapy Python library makes life a lot easier for network forensic investigators, allowing them to write small scripts and making automation a lot easier. Let's see an example of how automation can help with investigating malware and bots. Let's open the example PCAP file in Wireshark:
We can see that the PCAP file contains only 67 packets and it looks as though most of the traffic is HTTP-based. Looking at the conversations, we can see we have four of them:
Let's have a look at the HTTP requests:
We can see that some POST data is being sent from 172.16.0.130 to 185.141.27.187. However, User-Agent doesn't seem to be obvious from the user's behavior. Open one of the conversations to view what sort of data we are looking at. After the TCP stream (not HTTP), we can see that the following data is being posted to...