Networking Skill
Quick Workflow
Progress:
- Get protocol overview (tshark -z io,phs)
- Search strings for flag pattern
- Export HTTP/SMB objects
- Follow interesting streams
- Check for credentials/exfiltration
- Extract flag
Quick Analysis Pipeline
1. Basic info
capinfos capture.pcap file capture.pcap
2. Protocol hierarchy
tshark -r capture.pcap -z io,phs
3. Conversations
tshark -r capture.pcap -z conv,tcp
4. Quick string search
strings capture.pcap | grep -i flag tshark -r capture.pcap -Y "frame contains flag"
Reference Files
Topic Reference
Wireshark Filters & tshark reference/wireshark.md
Protocol Analysis (HTTP, DNS, FTP, etc.) reference/protocols.md
CTF Patterns & Attacks reference/ctf-patterns.md
Tools Quick Reference
Tool Purpose Install
Wireshark GUI packet analysis brew install wireshark
tshark CLI packet analysis brew install wireshark
tcpdump Packet capture Built-in
tcpflow TCP stream extraction brew install tcpflow
nmap Port scanning brew install nmap
masscan Fast port scanning brew install masscan
scapy Packet manipulation pip install scapy
Scapy Quick Reference
from scapy.all import *
Read PCAP
packets = rdpcap('capture.pcap')
Filter packets
http_packets = [p for p in packets if TCP in p and p[TCP].dport == 80]
Extract data
for p in packets: if Raw in p: print(p[Raw].load)