The process of intercepting, recording and analyzing network traffic communication patterns in order to detect and respond to security threats.  Relevent network concepts include include understanding OSI layers, protocols, IP addresses, encryption and firewalls that will apply to traffic analysis. The primary file used in this process are network PCAP files (Package Captures) generated from a network interface in promiscuous mode. The majority of the packets are likely to be made up of TCP, UDP and ICMP protocol traffic.

Key Concepts

  • Pcap – Packet Capture File which includes: (1) Source and Destination port #s , (2) IP addresses , (3) Physical (MAC) addresses, (4) Protocol and Encryption info, (5) Header and Payload info, (6) Wireless info and other data,
  • TCP IP Units of Data by Layer :
    • TBD – Layer4 ; Application Layer (e.g.,
    • Segment – Layer3; Transport Layer (e.g., Port)
    • Packet – Layer2 Internet Layer (e.g., IP Address)
    • Frame/Bit – Layer1 Link Layer (e.g., Ethernet MAC address, Wifi Address )
  • Tools:
    • Tshark – network protocol analyzer utilities that run on the command line. Tshark collects packets live network or from a previously saved capture file. .
    • Tdump – command-line packet analyzer (similiar to tshark)
  • Key Protocols:

Wireshark Packet Analyzer:

Wireshark is a GUI tool used to collect and analyze network packet capture file (PCAPs). Under the covers, it executes Tshark commands which could be entered directly on the commanc line. done on the command. Free versions of Wireshark are available in the Kali Linux distribution or can be downloaded to Windows or Mac OS.

  1. The menu (see Section 3.4, “The Menu”) is used to start actions.
  2. The main toolbar (see Section 3.16, “The “Main” Toolbar”) provides quick access to frequently used items from the menu.
  3. The filter toolbar (see Section 3.17, “The “Filter” Toolbar”) allows users to set display filters to filter which packets are displayed (see Section 6.3, “Filtering Packets While Viewing”).
  4. The packet list pane (see Section 3.18, “The “Packet List” Pane”) displays a summary of each packet captured. By clicking on packets in this pane you control what is displayed in the other two panes.
  5. The packet details pane (see Section 3.19, “The “Packet Details” Pane”) displays the packet selected in the packet list pane in more detail.
  6. The packet bytes pane (see Section 3.20, “The “Packet Bytes” Pane”) displays the data from the packet selected in the packet list pane, and highlights the field selected in the packet details pane.
  7. The statusbar (see Section 3.21, “The Statusbar”) shows some detailed information about the current program state and the captured data.

Recommended Steps for using Wireshark

  1. Read the CTF challenge and look for clues (i.e., protocols, ip addresses, etc.). The challenge is most likely going to be:
    • require analysis of a capture file (PCAP) ; no live capture required
    • related to a TCP or UDP protocols.
    • Wireless scenarios will also show in capture file
  2. Open the File in Wireshark – (See 5.2 – Open Capture File)
  3. Use Filters to reduce the noise (see 6.3. Filtering Packets While Viewing) and focus on the CTF clues.
  4. Analyze the data in Wireshark:

Recommended Tools:

References: