analyzing-network-traffic-with-wireshark
Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns, diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments.
83
80%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-network-traffic-with-wireshark/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and distinctive terminology that clearly identifies its niche in network packet analysis and forensics. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others. Adding trigger guidance would elevate this from a good to an excellent description.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about packet capture, network traffic analysis, pcap files, Wireshark, tshark, or network forensics investigations.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'captures and analyzes network packet data', 'identify malicious traffic patterns', 'diagnose protocol issues', 'extract artifacts', and 'support incident response investigations'. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | The 'what' is clearly answered with specific capabilities, but there is no explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied by the nature of the actions described. Per rubric guidelines, a missing 'Use when...' clause caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'network packet', 'Wireshark', 'tshark', 'malicious traffic', 'protocol issues', 'incident response', 'packet data'. These cover the domain well and match how security analysts and network engineers naturally describe their needs. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with specific tool names (Wireshark, tshark), domain-specific terms (packet capture, malicious traffic patterns, protocol issues), and a clear niche in network forensics/analysis. Unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable skill with excellent executable examples covering the full network traffic analysis workflow. Its main weakness is moderate verbosity — the Key Concepts glossary and Tools & Systems section explain things Claude already knows, and the entire document could benefit from splitting reference material into separate files. The workflow is well-sequenced with good forensic integrity practices (hashing, evidence preservation).
Suggestions
Remove or significantly trim the Key Concepts table and Tools & Systems section — Claude already knows what BPF filters, PCAPNG, TCP streams, and tshark are.
Move the detailed scenario and output format template into separate reference files (e.g., SCENARIOS.md, REPORT_TEMPLATE.md) and link to them from the main skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with good executable examples, but includes some unnecessary content like the Key Concepts table (Claude knows what BPF, PCAPNG, and TCP streams are), the Tools & Systems descriptions, and some verbose explanations. The prerequisites section also over-explains (e.g., 'estimate 1 GB per minute on busy gigabit links' is useful, but 'Familiarity with TCP/IP protocols' is telling Claude what it already knows). | 2 / 3 |
Actionability | Excellent actionability throughout — every step contains fully executable tshark commands with realistic flags, filters, and output redirections. The commands are copy-paste ready with concrete examples of capture filters, display filters, artifact extraction, and statistical analysis. The scenario walkthrough provides a complete end-to-end investigation workflow. | 3 / 3 |
Workflow Clarity | The six-step workflow is clearly sequenced from capture setup through reporting, following a logical investigation progression. The scenario section includes a numbered approach with validation considerations (chain of custody hashing, evidence preservation). The pitfalls section serves as implicit validation checkpoints, and Step 6 includes evidence integrity verification with SHA-256 hashing. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and headers, but it's a monolithic document with no references to external files for advanced topics. The Key Concepts table, Tools & Systems section, and detailed scenario could be split into separate reference files. For a skill of this length (~180+ lines of content), some progressive disclosure to external files would improve organization. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.