PCAP Analysis

intermediate40 minWriteup

Analyzing network captures in CTFs

Learning Objectives

  • Navigate large PCAPs
  • Extract files from traffic
  • Find credentials in traffic
  • Analyze protocols

PCAP analysis involves examining captured network traffic to find evidence, credentials, or flags. It's like having a recording of every conversation on the network - you just need to know where to look!

PCAP = Packet Capture. Tools like Wireshark capture traffic into .pcap or .pcapng files. CTF challenges give you captures to analyze for hidden data, credentials, or transferred files.

Wireshark Basics

1606070;"># Open capture
2wireshark capture.pcap
3 
4606070;"># Key panels:
5606070;"># 1. Packet List - All captured packets
6606070;"># 2. Packet Details - Dissected layers
7606070;"># 3. Packet Bytes - Raw hex/ASCII
8 
9606070;"># Basic navigation:
10606070;"># - Click packet to select
11606070;"># - Ctrl+G: Go to packet number
12606070;"># - Ctrl+F: Find (by display filter, hex, string, regex)
13 
14606070;"># Statistics menu:
15606070;"># - Protocol Hierarchy: What protocols are used
16606070;"># - Conversations: Who talked to whom
17606070;"># - Endpoints: All IPs involved
18606070;"># - HTTP: Request/response stats

Start Here

Always check Statistics → Protocol Hierarchy first. It shows what types of traffic exist and helps you focus your search!

Display Filters

1606070;"># Essential Wireshark display filters
2 
3606070;"># Protocol filters
4http
5dns
6ftp
7tcp
8udp
9icmp
10ssl or tls
11 
12606070;"># IP filters
13ip.addr == 192.168.1.1
14ip.src == 10.0.0.1
15ip.dst == 10.0.0.2
16 
17606070;"># Port filters
18tcp.port == 80
19tcp.port == 443
20tcp.port == 21
21 
22606070;"># Content filters
23http contains 606070;">#a5d6ff;">"flag"
24frame contains 606070;">#a5d6ff;">"password"
25tcp contains 606070;">#a5d6ff;">"secret"
26 
27606070;"># HTTP specific
28http.request
29http.response
30http.request.method == 606070;">#a5d6ff;">"POST"
31http.request.uri contains 606070;">#a5d6ff;">"login"
32http.response.code == 200
33 
34606070;"># Follow streams
35606070;"># Right-click → Follow → TCP Stream
36606070;"># Shows full conversation
37 
38606070;"># Combine filters
39http and ip.addr == 192.168.1.100
40tcp.port == 80 or tcp.port == 8080
41http.request.method == 606070;">#a5d6ff;">"POST" and frame contains "password"

HTTP Analysis

bash
1606070;"># HTTP traffic is often unencrypted gold!
2 
3606070;"># Wireshark: File → Export Objects → HTTP
4606070;"># Lists all files transferred via HTTP
5606070;"># Save interesting files
6 
7606070;"># Look for:
8606070;"># - Login forms (credentials in POST data)
9606070;"># - File uploads/downloads
10606070;"># - API requests with tokens
11606070;"># - Cookies and session IDs
12 
13606070;"># tshark command-line
14tshark -r capture.pcap -Y 606070;">#a5d6ff;">"http.request.method == POST" -T fields -e http.file_data
15 
16606070;"># Extract all HTTP objects
17tshark -r capture.pcap --export-objects http,exported_files/
18 
19606070;"># Find URLs requested
20tshark -r capture.pcap -Y 606070;">#a5d6ff;">"http.request" -T fields -e http.host -e http.request.uri
HTTP POST requests often contain form data - usernames, passwords, and other sensitive info transmitted in plaintext!

FTP Analysis

bash
1606070;"># FTP transmits everything in plaintext!
2 
3606070;"># Wireshark filter
4ftp
5 
6606070;"># Find credentials
7ftp.request.command == 606070;">#a5d6ff;">"USER"
8ftp.request.command == 606070;">#a5d6ff;">"PASS"
9 
10606070;"># Find transferred files
11ftp-data
12 
13606070;"># Extract FTP files
14606070;"># Follow TCP stream of ftp-data packets
15606070;"># Save as raw bytes
16 
17606070;"># tshark extraction
18tshark -r capture.pcap -Y 606070;">#a5d6ff;">"ftp.request.command" -T fields -e ftp.request.command -e ftp.request.arg
19 
20606070;"># Manual: Follow TCP stream → Save As (raw)

DNS Analysis

bash
1606070;"># DNS can be used for data exfiltration!
2 
3606070;"># Wireshark filter
4dns
5 
6606070;"># Look for:
7606070;"># - Unusual domain names (encoded data?)
8606070;"># - DNS tunneling (very long subdomain names)
9606070;"># - TXT record queries (can contain data)
10 
11606070;"># Suspicious patterns:
12606070;"># - aGVsbG8gd29ybGQ=.evil.com (base64 subdomain)
13606070;"># - Very frequent DNS queries to same domain
14 
15606070;"># DNS query analysis
16tshark -r capture.pcap -Y 606070;">#a5d6ff;">"dns.flags.response == 0" -T fields -e dns.qry.name
17 
18606070;"># Check for TXT records
19tshark -r capture.pcap -Y 606070;">#a5d6ff;">"dns.txt" -T fields -e dns.txt

TLS/HTTPS Analysis

bash
1606070;"># TLS is encrypted, but...
2 
3606070;"># With the private key, you can decrypt!
4606070;"># Wireshark: Edit → Preferences → Protocols → TLS
5606070;"># Add RSA keys or Pre-Master-Secret log
6 
7606070;"># Without key, still useful:
8606070;"># - SNI (Server Name Indication) shows hostname
9606070;"># - Certificate information
10606070;"># - Connection patterns
11 
12606070;"># Filter for TLS
13tls
14 
15606070;"># See server names (SNI)
16tls.handshake.extensions_server_name
17 
18606070;"># Check certificate
19606070;"># Expand TLS → Handshake → Certificate
20 
21606070;"># If you have SSLKEYLOGFILE:
22606070;"># Set in browser: export SSLKEYLOGFILE=/tmp/keys.log
23606070;"># Then add to Wireshark TLS preferences

File Extraction

bash
1606070;"># Wireshark GUI
2File → Export Objects → HTTP/SMB/DICOM/TFTP
3 
4606070;"># NetworkMiner (Windows, but runs on Wine)
5606070;"># Automatic file extraction and credential recovery
6 
7606070;"># tcpflow - Extract all TCP streams
8tcpflow -r capture.pcap -o output_dir/
9 
10606070;"># foremost on pcap
11foremost -i capture.pcap -o carved_files/
12 
13606070;"># Manual stream extraction
14606070;"># 1. Right-click packet → Follow → TCP Stream
15606070;"># 2. Show as: Raw
16606070;"># 3. Save as... (binary file)
17 
18606070;"># Look for file signatures in streams
19strings capture.pcap | grep -E 606070;">#a5d6ff;">"^PK|%PDF|GIF8|\x89PNG"

tshark Quick Reference

bash
1606070;"># tshark - Command-line Wireshark
2 
3606070;"># Read pcap
4tshark -r capture.pcap
5 
6606070;"># Apply filter
7tshark -r capture.pcap -Y 606070;">#a5d6ff;">"http"
8 
9606070;"># Extract specific fields
10tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e http.request.uri
11 
12606070;"># Statistics
13tshark -r capture.pcap -z io,phs  606070;"># Protocol hierarchy
14tshark -r capture.pcap -z conv,tcp  606070;"># Conversations
15 
16606070;"># Follow stream
17tshark -r capture.pcap -z follow,tcp,ascii,0
18 
19606070;"># Quick flag search
20tshark -r capture.pcap -Y 606070;">#a5d6ff;">"frame contains flag" -V
21 
22606070;"># Strings alternative
23strings capture.pcap | grep -i flag
24strings capture.pcap | grep -E 606070;">#a5d6ff;">"[A-Za-z]+\{[^}]+\}"

PCAP Analysis Checklist

1□ Check protocol hierarchy (what protocols exist?)
2□ Search for 606070;">#a5d6ff;">"flag", "password", "secret" in packet contents
3□ Export HTTP objects
4□ Follow interesting TCP streams
5□ Check FTP/Telnet for cleartext credentials
6□ Examine DNS queries for exfiltration
7□ Look for file transfers
8□ Check unusual ports for hidden services
9□ Note any base64/encoded strings
10□ Use tshark for quick command-line analysis

Knowledge Check

Quick Quiz
Question 1 of 2

What should you check first when analyzing a PCAP file?

Key Takeaways

  • Check protocol hierarchy first to understand the traffic
  • Use display filters to focus on relevant packets
  • Export HTTP objects for transferred files
  • Follow TCP streams to see full conversations
  • FTP and HTTP often contain cleartext credentials
  • DNS can be used for data exfiltration - check long subdomains