Recipe: PCAP traffic summarizer

Ingest a PCAP file and produce a human-readable summary of protocols, top talkers, and connection patterns.

Overview

This recipe walks through building a lightweight PCAP summarizer that extracts key metadata without full packet inspection. Output includes protocol distribution, IP pair rankings, and byte counts.

Ingredients

tshark or tcpdump for capture replay
Python 3.11+ with scapy or dpkt
Meridian agent for file-watch trigger
Output target: JSON blob or Markdown report

Steps

Watch directory — Configure Meridian to monitor /incoming/pcaps.
Parse on arrival — On new file, invoke summarizer script. Extract Ethernet, IP, and transport-layer headers.
Aggregate stats — Count packets per protocol, track src/dst IP pairs, sum bytes transferred.
Emit report — Write structured JSON to /outgoing/reports.

Sample output

{
  "total_packets": 18420,
  "protocols": { "TCP": 0.72, "UDP": 0.21, "ICMP": 0.07 },
  "top_talkers": [
    { "src": "10.0.0.5", "dst": "93.184.216.34", "bytes": 1048576 }
  ]
}

Next steps

Extend with GeoIP enrichment, TLS JA3 fingerprinting, or anomaly scoring. See the recipes index for related patterns.