TL;DR
- Network traffic analysis means reading packets to reconstruct what happened on the wire
- Wireshark is the GUI tool; tcpdump is the terminal tool — both produce and read
.pcapfiles - Every protocol has a recognisable pattern — anomalies stand out once you know what normal looks like
- DNS, HTTP, FTP, and SMB are the most information-rich protocols in a capture
- In CTF challenges, captures often hide data in protocol payloads, unusual ports, or encoding tricks
Prerequisites
- Completed: How Networks Actually Work — you need to understand the protocols you're reading
- Wireshark installed (
sudo apt install wireshark) or access to a capture file - Network interface or a
.pcapfile to analyse
Lab: Download practice captures from CloudShark Community, Wireshark Sample Captures, or generate your own: tcpdump -i eth0 -w capture.pcap.
Capturing Traffic
tcpdump — Terminal Capture
$
tcpdump -i eth0 -w capture.pcap -n -s 0 'port 80 or port 443'Capture all HTTP and HTTPS traffic on eth0 to a file, no DNS resolution, full packet length
-ieth0Interface to capture on. Use -i any to capture all interfaces
-wcapture.pcapWrite packets to file instead of displaying them
-nDisable DNS resolution — show IPs instead of hostnames. Faster, less noise
-s0Capture full packet (snaplen 0 = no truncation). Default is 262144 bytes
'port 80 or port 443'BPF filter — only capture traffic on these ports
bash
# Common tcpdump captures
tcpdump -i eth0 -n # All traffic, no DNS
tcpdump -i eth0 host 192.168.1.100 # Traffic to/from specific host
tcpdump -i eth0 src 192.168.1.100 # Traffic FROM specific host
tcpdump -i eth0 net 192.168.1.0/24 # Entire subnet
tcpdump -i eth0 'tcp port 22' # SSH only
tcpdump -i eth0 'not port 22' # Exclude SSH
tcpdump -i eth0 -A 'port 80' # Print packet ASCII content
tcpdump -i eth0 -X 'port 53' # Print hex AND ASCII
tcpdump -r capture.pcap # Read from file
tcpdump -r capture.pcap 'host 10.0.0.1' # Filter while readingWireshark — GUI Analysis
Wireshark's display filters use a different syntax from tcpdump's capture filters:
| Task | Wireshark filter |
|---|---|
| Filter by IP | ip.addr == 192.168.1.100 |
| Filter by source | ip.src == 192.168.1.100 |
| Filter by port | tcp.port == 80 |
| HTTP traffic | http |
| DNS queries | dns |
| HTTP POST requests | http.request.method == "POST" |
| Follow stream | Right-click packet > Follow > TCP Stream |
| Find string in payload | Edit > Find Packet > String |
| Export objects | File > Export Objects > HTTP (extract files) |
Reading a Packet — Anatomy
Every packet in Wireshark has layers. Click a packet to expand:
Frame 1 — 74 bytes on wire
Ethernet II
src: aa:bb:cc:dd:ee:ff → dst: ff:ff:ff:ff:ff:ff
IP
src: 192.168.1.5 → dst: 8.8.8.8
TCP
src port: 54321 → dst port: 443
TLS
Encrypted payload
DNS Analysis
DNS is one of the richest sources of intelligence and one of the most abused protocols for data exfiltration.
bash
# Extract all DNS queries from a capture
tshark -r capture.pcap -Y dns -T fields -e dns.qry.name | sort | uniq -c | sort -rn
# Find DNS queries for uncommon TLDs (potential data exfil)
tshark -r capture.pcap -Y 'dns' -T fields -e dns.qry.name | grep -v "\.\(com\|net\|org\|local\)$"
# Find unusually long DNS names (DNS tunnelling indicator)
tshark -r capture.pcap -Y 'dns.qry.name' -T fields -e dns.qry.name | \
awk 'length > 50 {print}' | sort -uDNS Tunnelling Indicators
| Indicator | Normal | Suspicious |
|---|---|---|
| Query length | < 30 chars | > 50 chars |
| Query frequency | Occasional | High frequency to same domain |
| Subdomain variety | Few subdomains | Many unique random subdomains |
| Record type | A, AAAA, MX, CNAME | TXT, NULL records |
| Response size | Small | Large TXT responses |
◆DNS Tunnelling in CTFs
Common tools used for DNS tunnelling: iodine, dns2tcp, dnscat2. In CTF challenges, look for base64 or hex-encoded data in the subdomain portion of queries. Extract all unique query names and decode them.
HTTP Analysis
HTTP is plaintext — everything is readable in a capture.
bash
# Extract all HTTP requests
tshark -r capture.pcap -Y http.request -T fields \
-e ip.src -e http.request.method -e http.request.full_uri
# Extract HTTP POST bodies (credentials, form data)
tshark -r capture.pcap -Y "http.request.method == POST" -T fields \
-e ip.src -e http.request.uri -e urlencoded-form.value
# Export all HTTP objects (files transferred)
tshark -r capture.pcap --export-objects http,./extracted/
# or in Wireshark: File > Export Objects > HTTPFinding Credentials in HTTP
bash
# Look for basic auth (base64 encoded)
tshark -r capture.pcap -Y http -T fields -e http.authbasic
# Look for form POSTs with password fields
tshark -r capture.pcap -Y 'http.request.method == POST' -T fields \
-e urlencoded-form.key -e urlencoded-form.value | grep -i "pass\|pwd\|secret"SMB Analysis
SMB (Server Message Block) is Windows file sharing — it also leaks a lot of information.
bash
# Filter SMB traffic
tshark -r capture.pcap -Y smb
# Find SMB login attempts
tshark -r capture.pcap -Y 'smb2.cmd == 1' -T fields \
-e ip.src -e smb2.sesid -e ntlmssp.auth.username -e ntlmssp.auth.domain
# Extract NTLM hashes (NetNTLMv2) for cracking
tshark -r capture.pcap -Y 'ntlmssp.auth' -T fields \
-e ntlmssp.auth.username -e ntlmssp.auth.domain \
-e ntlmssp.ntlmclientchallenge -e ntlmssp.ntlmserverchallenge◈NetNTLMv2 Format for Hashcat
The hashcat format for NetNTLMv2 is: username::domain:ServerChallenge:NTProofStr:blob. Wireshark gives you the pieces — you need to assemble them in the right order. Tools like PCredz or Responder's built-in extraction handle this automatically.
FTP and Telnet — Cleartext Credentials
FTP and Telnet transmit everything in plaintext — credentials, commands, data.
bash
# Extract FTP credentials
tshark -r capture.pcap -Y ftp -T fields -e ftp.request.command -e ftp.request.arg | \
grep -E "^(USER|PASS)"
# Follow a Telnet session
tshark -r capture.pcap -Y telnet -T fields -e telnet.data | tr -d '\n'
# In Wireshark: right-click any FTP/Telnet packet > Follow > TCP StreamICMP and Covert Channels
ICMP (ping) is often whitelisted by firewalls and can be used for data exfiltration.
bash
# Find unusually large ICMP packets (normal ping = 64 bytes)
tshark -r capture.pcap -Y 'icmp && icmp.type == 8' -T fields \
-e ip.src -e ip.dst -e frame.len | awk '$3 > 100'
# Extract ICMP payload data
tshark -r capture.pcap -Y 'icmp.type == 8' -T fields -e dataStatistical Analysis
When you don't know what you're looking for, start with statistics.
bash
# Protocol hierarchy
tshark -r capture.pcap -q -z io,phs
# Conversations (who talked to who, how much)
tshark -r capture.pcap -q -z conv,tcp
# Top talkers
tshark -r capture.pcap -q -z endpoints,ip
# Packet lengths distribution (useful for finding anomalies)
tshark -r capture.pcap -T fields -e frame.len | sort -n | uniq -c
# Timeline — when did activity happen?
tshark -r capture.pcap -T fields -e frame.time_relative -e ip.src -e ip.dst | head -50Steganography in Network Captures
CTF challenges frequently hide data in unusual places within packets.
Network Steganography Checklist
- 1Check ICMP payloads
Data field in ping packets often contains hidden messages
- 2Check DNS query names
Extract all unique names, decode base64/hex subdomains
- 3Check HTTP headers
Custom headers like X-Flag, X-Secret or unusual User-Agent values
- 4Check TCP options
Timestamp values, window sizes can encode data
- 5Check unused protocol fields
IP ID field, TCP sequence numbers can carry data
- 6Extract all transferred files
Wireshark > File > Export Objects > HTTP / SMB / FTP
- 7Check for covert channels
HTTP GET with long query strings, unusual TTL values
tshark Command Reference
bash
# Read file and display with filter
tshark -r file.pcap -Y "filter"
# Extract specific fields
tshark -r file.pcap -T fields -e ip.src -e ip.dst -e tcp.port
# Output formats
tshark -r file.pcap -T json # JSON
tshark -r file.pcap -T pdml # XML
tshark -r file.pcap -T text # Human readable (default)
# Follow stream
tshark -r file.pcap -q -z follow,tcp,ascii,0 # Follow first TCP stream
# Statistics
tshark -r file.pcap -q -z io,stat,1 # IO stats per second
tshark -r file.pcap -q -z http,tree # HTTP statistics
# Slice packets
tshark -r file.pcap -Y "frame.number >= 100 && frame.number <= 200"Operational Notes
- Promiscuous mode — to capture traffic not addressed to your machine, your interface needs promiscuous mode enabled. Wireshark enables it automatically.
tcpdump -pdisables it (capture only your own traffic). - Encrypted traffic — HTTPS/TLS is encrypted. You can still see metadata (server names via SNI in the TLS handshake, certificate subjects, traffic patterns). For decryption, you need the session keys — Wireshark can decrypt if you export
SSLKEYLOGFILEfrom the browser. - Capture filters vs display filters — capture filters (BPF syntax) drop packets before they're written. Display filters analyse what's already captured. Capture filters are more efficient; display filters are more flexible.
- `-n` and `-N` flags —
-nin tcpdump disables DNS resolution.-Ndisables qualified domain name printing. Both significantly speed up live captures.
What to Read Next
- Forensics — network captures are a key artefact in digital forensics investigations
- Reconnaissance — passive network monitoring is the quietest form of network recon
- Exploitation — understanding what attack traffic looks like helps you craft better exploits