Networking Skill
Quick Workflow
code
Progress: - [ ] Get protocol overview (tshark -z io,phs) - [ ] Search strings for flag pattern - [ ] Export HTTP/SMB objects - [ ] Follow interesting streams - [ ] Check for credentials/exfiltration - [ ] Extract flag
Quick Analysis Pipeline
bash
# 1. Basic info capinfos capture.pcap file capture.pcap # 2. Protocol hierarchy tshark -r capture.pcap -z io,phs # 3. Conversations tshark -r capture.pcap -z conv,tcp # 4. Quick string search strings capture.pcap | grep -i flag tshark -r capture.pcap -Y "frame contains flag"
Reference Files
| Topic | Reference |
|---|---|
| Wireshark Filters & tshark | reference/wireshark.md |
| Protocol Analysis (HTTP, DNS, FTP, etc.) | reference/protocols.md |
| CTF Patterns & Attacks | reference/ctf-patterns.md |
Tools Quick Reference
| Tool | Purpose | Install |
|---|---|---|
| Wireshark | GUI packet analysis | brew install wireshark |
| tshark | CLI packet analysis | brew install wireshark |
| tcpdump | Packet capture | Built-in |
| tcpflow | TCP stream extraction | brew install tcpflow |
| nmap | Port scanning | brew install nmap |
| masscan | Fast port scanning | brew install masscan |
| scapy | Packet manipulation | pip install scapy |
Scapy Quick Reference
python
from scapy.all import *
# Read PCAP
packets = rdpcap('capture.pcap')
# Filter packets
http_packets = [p for p in packets if TCP in p and p[TCP].dport == 80]
# Extract data
for p in packets:
if Raw in p:
print(p[Raw].load)