Networking¶
tshark -r WebSearchingFlagCTF2019.pcapng -Y http.request.uri.query -T fields -e http.request.uri.query
tshark -r WebSearchingFlagCTF2019.pcapng -Y http.request.uri.query -T fields -e http.request.uri.query -e frame.time
https://www.activecountermeasures.com/blog-tshark-examples-for-extracting-ip-fields/
Extracting files from captures for HTTP and SMB:
tshark -nr capture.pcap --export-objects smb,./
Examining HTTP traffic metadata tree of all of the HTTP traffic:
tshark -r capture.pcap -q -z http,tree
Unique list of ports in nmap scan capture:
tshark -r nmap_scan.pcapng -T fields -e tcp.srcport ip.src == 10.0.2.6 and frame.len != 60 | sort -n | uniq
Look through all UDP streams for ctf-flag
flag=picoCTF; PCAP=capture.pcap; END=$(tshark -r $PCAP -T fields -e udp.stream | sort -n | tail -1); for ((i=0;i<=END;i++)); do tshark -r $PCAP -Y "udp.stream eq $i" -T fields -e data.text -o data.show_as_text:TRUE 2>/dev/null | tr -d '\n' | grep "$flag"; if [ $? -eq 0 ]; then echo "(Stream #$i)"; fi; done
Resources: * https://www.maki.bzh/articles/wiresharkhowtobasic/