PCAP analysis

Tools

1. Wireshark

2. NetworkMiner

3. Strings

4. Tshark

Checklist

1. Understand the packets

2. Export objects

3. Protocol hierarchy give you general understanding

4. Follow TCP streams

5. Filtering

6. Search for keyword such as "flag" using Find Packet

7. Take a look at Info column. Stupid challenge always put the flag letter by letter in different packets.

8. If challenge about wifi, USB or keyboard thingy, google the past writeup how they solve.

Others

1. Convert pcapng to pcap

   • tshark -F pcap -r file.pcapng -w newfile.pcap

2. Bruteforce WEP password for PCAP

   • aircrack-ng -b XX:XX:XX:XX:89:b3 -w ../rockyou.txt target.pcap

   • Go to Edit > preference > Protocol > IEEE 802.11 > Edit... button > wpa-pwd password

3. USB pcap

   • https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes

Reference

• https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection