Superior CTF

1. INTRODUCTION

Wireshark is the most widely used packet analyzer for:

bash

Network forensics

bash

Pentesting

bash

Debugging

bash

Traffic analysis

It allows capturing, filtering, decoding, and inspecting every packet on the network.

2. CAPTURING TRAFFIC

Start capture:

bash

Select interface (eth0, wlan0, etc.)

bash

Click “Start Capturing”

Promiscuous mode:

bash

Capture all packets on LAN

Monitor mode (Wi-Fi):

bash

Capture raw 802.11 frames

3. BASIC FILTERING

Common display filters:

bash

ip.addr == 10.10.10.5

bash

tcp.port == 80

bash

udp.port == 53

bash

http

bash

dns

bash

arp

bash

icmp

4. COMBINATION FILTERS

AND:

bash

ip.src==10.0.0.5 && tcp.port==443

OR:

bash

tcp || udp

NOT:

bash

!arp

5. FOLLOW STREAM

Follow TCP stream:

bash

Right-click packet → Follow → TCP Stream

Useful for:

bash

Extracting credentials

bash

Reading HTTP traffic

bash

Viewing chat messages

bash

Inspecting payloads (malware/flags)

6. DECRYPTING HTTP/HTTPS

HTTP:

bash

Automatically readable

HTTPS decryption (if server private key available):

bash

Edit → Preferences → TLS → Add Key

Supports *RSA-based TLS only* (not modern ECDHE).

7. PACKET COLORING

Coloring rules help identify protocol behavior.

Default:

bash

Green = HTTP

bash

Blue = DNS

bash

Yellow = warnings

bash

Red = errors/retransmissions

8. USEFUL PROTOCOL FILTERS

HTTP:

bash

http.request.method=="POST"

DNS:

bash

dns.qry.name == "example.com"

DHCP:

bash

bootp

TLS handshake:

bash

tls.handshake

ARP:

bash

arp.opcode==1 (request)

9. EXTRACTING FILES FROM TRAFFIC

Extract files:

bash

File → Export Objects → HTTP / SMB / FTP

Useful for:

bash

Malware samples

bash

Downloaded files

bash

CTF file recovery

10. WIRELESS (802.11) ANALYSIS

Enable monitor mode:

bash

airmon-ng start wlan0

Allows capturing:

bash

Beacon frames

bash

Probe requests

bash

Authentication frames

bash

WPA2 4-way handshakes

11. CAPTURING A WPA2 HANDSHAKE

Start monitor mode:

bash

airmon-ng start wlan0

Use EAPOL filter:

bash

eapol

Used later for Wi-Fi cracking with hashcat.

12. EXPERT INFORMATION VIEW

Analyze → Expert Information

Shows:

bash

Warnings

bash

Retransmissions

bash

Protocol errors

bash

Potential attacks/anomalies

13. EXPORTING PCAP FILES

Save capture:

bash

File → Save As → .pcapng

Export specific packets:

bash

File → Export Specified Packets

14. MALWARE ANALYSIS USE CASES

Wireshark helps detect:

bash

Command-and-control (C2) traffic

bash

Suspicious DNS queries

bash

Beaconing behavior

bash

Payload exfiltration

bash

Malware downloads

WIRESHARK — Practical Guide

1. INTRODUCTION

2. CAPTURING TRAFFIC

3. BASIC FILTERING

4. COMBINATION FILTERS

5. FOLLOW STREAM

6. DECRYPTING HTTP/HTTPS

7. PACKET COLORING

8. USEFUL PROTOCOL FILTERS

9. EXTRACTING FILES FROM TRAFFIC

10. WIRELESS (802.11) ANALYSIS

11. CAPTURING A WPA2 HANDSHAKE

12. EXPERT INFORMATION VIEW

13. EXPORTING PCAP FILES

14. MALWARE ANALYSIS USE CASES

15. CTF WORKFLOW

1. Load the provided PCAP

2. Filter by protocol (http, dns, ftp, tcp.stream eq X)

3. Follow streams for credentials/flags

4. Extract files via “Export Objects”

5. Check ARP, DNS, ICMP for hidden hints

6. Inspect unusual packets or anomalies