Let’s capture, inspect, and analyse Wireshark data using ChatGPT’s free version. ChatGPT will act as an interpreter of my Wireshark captures, decoding and presenting the data in a readable format, often with tables, summaries and even visual diagrams.

ChatGPT will allow us network administrators to save time not having to process tedious, infinite lines of code. By inputting prompts or queries directly in ChatGPT, we can get instant responses about our network data and help us troubleshoot issues.

As you can imagine, I’ve kept the traffic capture as simple as possible to avoid revealing too much about my existing network, so focusing only on Google searches and generating Microsoft 365/Azure traffic.

Let’s get started!

From the Wireshark Interface, Select the NIC you want to capture traffic from.

Start Capturing Traffic, by selecting Capture/Start.

Keep the capture file to about 500 packets for best results.

Pause the Traffic Capture by selecting Capture/Stop and File/Export traffic and save PCAP file as .CSV file.

This is the format supported by the free version of ChatGPT as the PCAP file version doesn’t work.

Login to ChatGPT and upload the .CSV file, or you could simply copy and paste the .CSV contents into ChatGPT.

Now that the .CSV file is uploaded we going to use the following tried and tested “prompts” in ChatGPT to query the Wireshark Capture.  Again, be creative and use prompts that are applicable to your network context.

A range of example prompts, and their outputs, will be given below.

Each of these prompts can be used individually to generate a range of responses from the AI interface.

Sample outputs for each of these are shown below.

ChatGPT Output

Here’s a full sorted table of destination IPs by packet count based on the capture you provided. I counted repeated occurrences per your packet list:

ChatGPT Observations:

ChatGPT Output

Based on your capture, most of the traffic is encrypted (QUIC/TLS), so we won’t see full URLs, but we can extract hostnames from TLS Client Hello packets, SNI fields, and DNS queries.

From your data:

Hostnames / Domains Observed

1. com – standard DNS queries, TLS connections.
2. gcp.gvt2.com – Google telemetry/analytics.
3. beacons-handoff.gcp.gvt2.com – CNAME for telemetry.
4. Multiple Google/YouTube IPs (resolved via DNS):
   • 217.16.238
   • 250.179.227
   • 250.129.132
   • 250.187.206

1. Cloudflare IP 104.18.41.41 – likely HTTPS/QUIC connection to a Cloudflare-protected site.
2. Microsoft/Azure endpoints (from RST/TLS packets):

1. • 99.202.98
   • 107.138.10
   • 190.169.25
   • 223.35.26

1. Additional TLS endpoints / CDNs:
   • 108.52.22
   • 98.224.162
   • 25.182.20
   • 72.245.140

Notes:

ChatGPT Output

Here’s a compact table summarizing hostnames observed in your capture and their corresponding IP addresses:

Notes:

ChatGPT Output

Here’s a grouped view of the hostnames/IPs by service type based on your capture:

Observations:

ChatGPT Output

From your packet capture, the IPs associated with Microsoft/Azure services are:

Notes / Observations:

The initial ChatGPT draft I started with seemed to generate way too much superfluous data, however the more I refined my prompts with further instructions, the more precise and accurate the data e.g. never include the word “all” in your prompts.

Saying that, I was awe-struck how ChatGPT provided clear instructions on parsing the different network data at different stages in the analysis e.g. ChatGPT asked if I would like a diagram or table based on the unique data I was querying, which seemed fitting for that specific query.

ChatGPT also allowed me to share what ever content throughout the analysis, so I didn’t have to copy/edit anything in word, excel etc. It did it all the embellishing for me, which is a huge time saver.

Final thought, ChatGPT dramatically enhances your existing network analysis tool, by saving you huge amounts of time and energy, by parsing and presenting data in a very accessible format that can be shared effortlessly. I can’t wait when network tools start developing Generative APIs that can integrate directly into ChatGPT so there’s no need to upload the content, but rather just query the network tool directly from ChatGPT.

I was particularly impressed with looking up traffic classifications and definitions e.g. I asked the question “What is Cloudflare edge used for?” ChatGPT gave me the definition in the context/framework of my network, see below output.

ChatGPT Output 

“Cloudflare edge servers are part of Cloudflare’s content delivery network (CDN) and security platform. Essentially, they act as the “front line” between end users and the services they’re trying to reach. Here’s a breakdown of what they do:”

1. Content Delivery

• • Purpose: Serve static content (images, scripts, CSS, HTML) from a location close to the user.
  • Benefit: Reduces latency, speeds up web page load times.

2. DDoS Protection

• • Purpose: Absorb and filter large-scale attacks at the network edge.
  • Benefit: Keeps websites online even under attack by stopping malicious traffic before it reaches the origin server.

3. Web Application Firewall (WAF)

• • Purpose: Inspect traffic for malicious patterns, like SQL injection or cross-site scripting.
  • Benefit: Protects the application from common web attacks.

In your packet capture: traffic to 104.18.41.41 (Cloudflare) likely represents requests to websites or services that use Cloudflare for security, content delivery, and performance optimization.

This article was written by our Senior Collaboration Architect, Dylan James. If you’d like to reach out to Dylan to discuss the article or any similar concepts, he’d be happy to hear from you. Please reach out to us via our contact page and we’ll get you in touch with him.

Thanks for reading.