Abstract

PA Toolkit is a collection of traffic analysis plugins to extend the functionality of Wireshark from a micro-analysis tool and protocol dissector to the macro analyzer and threat hunter. PA Toolkit contains plugins (both dissectors and taps) covering various scenarios for multiple protocols, including:

WiFi (WiFi network summary, Detecting beacon, deauth floods, Evil twin etc.)
VoIP ( Overview of extensions, servers, Detecting invite flood, message flood, SIP auth bruteforcing, Decrypting encrypted VoIP conversation)
HTTP (Listing all visited websites, downloaded files, streaming files, Detecting HTTP Tunnels)
HTTPS (Listing all websites opened on HTTPS, Detecting self-signed certificates)
ARP (MAC-IP table, Detect MAC spoofing and ARP poisoning)
DNS (Listing DNS servers used and DNS resolution, Detecting DNS Tunnels)

The key advantage of using PA toolkit is that any user can check security related summary and detect common attacks just by running Wireshark. And, he can do this on the platform of his choice. Also, as the project is open source and written in newbie-friendly Lua language, one can easily extend existing plugins or reuse the code to write plugins of his own.