Network Forensics CTF Cheat Sheet

Overview

# File sanity
file capture.pcap
capinfos capture.pcap

# Packet + protocol overview
tshark -r capture.pcap | head
tshark -r capture.pcap -q -z io,phs
tshark -r capture.pcap -q -z conv,ip
tshark -r capture.pcap -q -z endpoints,ip

# Who talks to whom?
tshark -r capture.pcap -q -z conv,tcp
tshark -r capture.pcap -q -z conv,udp

Fast keyword hunt

# Strings inside packets
tshark -r capture.pcap -Y 'frame contains "flag"'
tshark -r capture.pcap -Y 'frame contains "password"'
tshark -r capture.pcap -Y 'frame contains "token"'
tshark -r capture.pcap -Y 'frame matches "[A-Za-z0-9+/]{24,}={0,2}"'

# Convert packet data to grep-able hex
tshark -r capture.pcap -T fields -e data | head

# Low-tech fallback
strings -n 6 capture.pcap | grep -iE 'flag|pass|auth|token|cookie'

Useful pivots

# Common filters
ip.addr == 10.10.10.10
tcp.port == 80
udp.port == 53
tcp.stream eq 4
frame.number == 123

# Client / server quickly
tshark -r capture.pcap -T fields -e ip.src -e ip.dst | sort | uniq -c

# Filter and keep only interesting packets
tshark -r capture.pcap -Y 'http or dns or ftp or smb' -w interesting.pcap

Field extraction

# Generic fields
tshark -r capture.pcap -T fields -e frame.number -e ip.src -e ip.dst

# HTTP host + URI
tshark -r capture.pcap -Y http.request \
  -T fields -e tcp.stream -e http.host -e http.request.method -e http.request.uri

# TLS SNI
tshark -r capture.pcap -Y tls.handshake.extensions_server_name \
  -T fields -e ip.src -e tls.handshake.extensions_server_name

# Credentials in cleartext protocols
tshark -r capture.pcap -Y ftp.request.command
tshark -r capture.pcap -Y pop.request
tshark -r capture.pcap -Y imap.request

Statistics & oddities

# Largest packets
tshark -r capture.pcap -T fields -e frame.len | sort -n | tail

# Retransmissions / resets
tshark -r capture.pcap -Y tcp.analysis.retransmission
tshark -r capture.pcap -Y tcp.flags.reset==1

# Long URIs / suspicious hostnames
tshark -r capture.pcap -Y http.request \
  -T fields -e http.request.uri | awk 'length($0)>120'
tshark -r capture.pcap -Y dns.qry.name \
  -T fields -e dns.qry.name | awk 'length($0)>60'

Reassemble & export

# Export only payload bytes
tshark -r capture.pcap -T fields -e tcp.payload | sed '/^$/d'

# Save packet summaries to CSV-ish output
tshark -r capture.pcap -T fields -E separator=, -E quote=d \
  -e frame.time_epoch -e ip.src -e ip.dst -e _ws.col.Protocol > packets.csv

# Follow from CLI
tshark -r capture.pcap -z follow,tcp,ascii,0
tshark -r capture.pcap -z follow,tcp,raw,0

HTTP requests

tshark -r capture.pcap -Y http.request
tshark -r capture.pcap -Y 'http.request.method == "POST"'
tshark -r capture.pcap -Y http.response

# Host / URI / user-agent
tshark -r capture.pcap -Y http.request \
  -T fields -e http.host -e http.request.uri -e http.user_agent

# Authorization / cookies
tshark -r capture.pcap -Y http.authorization
tshark -r capture.pcap -Y http.cookie

Objects & forms

# Export files seen over HTTP
tshark -r capture.pcap --export-objects http,http_objects/

# Multipart / uploads
tshark -r capture.pcap -Y mime_multipart
tshark -r capture.pcap -Y 'http.content_type contains "multipart/form-data"'

# Form fields can appear in body / URI / urlencoded blobs
tshark -r capture.pcap -Y data-text-lines | grep -iE 'user=|pass=|token=|csrf='

CTF patterns

# Base64 in requests / responses
tshark -r capture.pcap -Y 'frame matches "[A-Za-z0-9+/]{40,}={0,2}"'

# JWT
tshark -r capture.pcap | grep -Eo 'eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+'

# Suspicious download names
tshark -r capture.pcap | grep -iE '\.zip|\.exe|\.ps1|\.dll|\.docm|\.hta'

DNS basics

tshark -r capture.pcap -Y dns
tshark -r capture.pcap -T fields -e dns.qry.name | sort | uniq -c
tshark -r capture.pcap -T fields -e dns.a | sort | uniq -c

# TXT records
tshark -r capture.pcap -Y dns.txt

# NXDOMAIN bursts
tshark -r capture.pcap -Y 'dns.flags.rcode != 0'

DNS tunneling clues

# Long / weird labels
tshark -r capture.pcap -T fields -e dns.qry.name | awk 'length($0)>60'

# Repeated subdomains / one parent domain
tshark -r capture.pcap -T fields -e dns.qry.name | sed 's/^[^.]*\.//' | sort | uniq -c | sort -nr

# Extract unique left-most labels for decoding
tshark -r capture.pcap -T fields -e dns.qry.name | cut -d. -f1 | sort -u

ICMP / covert channels

tshark -r capture.pcap -Y icmp
tshark -r capture.pcap -Y 'icmp.type == 8 or icmp.type == 0'

# Dump ICMP payloads
tshark -r capture.pcap -Y icmp -T fields -e data

# Watch for constant-size bursts / regular intervals
Indicators:
- same destination, regular spacing
- large echo payloads
- base64 / hex blobs in data

Follow specific streams

# Find stream ids first
tshark -r capture.pcap -T fields -e tcp.stream | sort -n | uniq

# Then follow
tshark -r capture.pcap -z follow,tcp,ascii,7
tshark -r capture.pcap -z follow,tcp,raw,7

# Filter one stream into its own PCAP
tshark -r capture.pcap -Y 'tcp.stream eq 7' -w stream7.pcap

tcpflow

# Reassemble flows into files
tcpflow -r capture.pcap
tcpflow -r capture.pcap -o tcpflow_out/

# Inspect quickly
find tcpflow_out -type f | sort
grep -RniE 'flag|password|token|cookie' tcpflow_out/

# Useful when tshark summary looks messy
Look for:
- HTTP requests split across packets
- shell prompts / commands
- base64 blobs across one TCP session

Low-level carving

# Raw packet payloads only
tshark -r capture.pcap -T fields -e data | tr -d '\n' | xxd -r -p > all_payloads.bin

# Then try
file all_payloads.bin
binwalk all_payloads.bin
strings -n 6 all_payloads.bin | less
foremost -i all_payloads.bin -o carve_out/

Objects

tshark -r capture.pcap --export-objects http,http_objects/
tshark -r capture.pcap --export-objects smb,smb_objects/
tshark -r capture.pcap --export-objects dicom,dicom_objects/  # only if relevant

SMB / FTP

tshark -r capture.pcap -Y smb
tshark -r capture.pcap -Y ftp
tshark -r capture.pcap -Y smb2.filename
tshark -r capture.pcap -Y ftp.request.arg

tshark -r capture.pcap -Y smtp
tshark -r capture.pcap -Y pop
tshark -r capture.pcap -Y imap
grep -RniE 'Subject:|From:|To:' tcpflow_out/

Run Zeek

mkdir zeek_out
cd zeek_out
zeek -r ../capture.pcap

# Main logs
conn.log
http.log
dns.log
files.log
ssl.log / x509.log
weird.log
notice.log

Quick Zeek queries

# Human-friendly columns
cat conn.log | zeek-cut id.orig_h id.resp_h proto service duration orig_bytes resp_bytes
cat http.log | zeek-cut ts id.orig_h host uri user_agent status_code
cat dns.log | zeek-cut ts id.orig_h query qtype_name answers
cat files.log | zeek-cut ts tx_hosts rx_hosts mime_type filename md5 sha1

# Hunt weirdness
cat weird.log | head
cat notice.log | head

Why Zeek is useful

Best when you want:
- a clean timeline
- extracted metadata instead of packet-by-packet reading
- file hashes / MIME types
- DNS / HTTP / TLS summaries

Typical CTF use:
1. run Zeek
2. inspect http.log + dns.log + files.log
3. pivot back to tshark for raw packets

Run Suricata on a PCAP

mkdir suri_out
suricata -r capture.pcap -l suri_out/

# Key output
suri_out/eve.json
suri_out/fast.log

# Typical events
alert
http
dns
tls
fileinfo
flow

jq against EVE JSON

# Alerts only
jq 'select(.event_type=="alert") | {src_ip,dest_ip,signature:.alert.signature,severity:.alert.severity}' suri_out/eve.json

# DNS + HTTP summary
jq 'select(.event_type=="dns") | {src_ip,rrname:.dns.rrname,rdata:.dns.rdata}' suri_out/eve.json
jq 'select(.event_type=="http") | {src_ip,hostname:.http.hostname,url:.http.url,http_method:.http.http_method}' suri_out/eve.json

# File metadata
jq 'select(.event_type=="fileinfo") | {filename:.fileinfo.filename,magic:.fileinfo.magic,md5:.fileinfo.md5}' suri_out/eve.json

When it helps

Suricata is great for:
- quick signatures / alerts
- structured DNS/HTTP/TLS/file logs
- triage automation with jq

It is not a replacement for:
- manual stream review
- file carving
- challenge-specific decoding

Entropy on extracted objects

ent suspicious.bin

# Batch over exported files
for f in http_objects/* smb_objects/* tcpflow_out/*; do
  [ -f "$f" ] || continue
  echo "== $f =="
  ent "$f"
done

High entropy can mean:
- compressed
- encrypted
- encoded / packed
- random padding

Beaconing / timing

# RITA
rita import capture.pcap dataset
rita show-beacons dataset
rita show-long-connections dataset

# Quick low-tech timing idea
tshark -r capture.pcap -T fields -e frame.time_epoch -e ip.dst > timing.txt

Indicators:
- same dst every N seconds
- nearly identical packet sizes
- repetitive DNS/HTTP callbacks

Custom payload entropy

# Dump payloads, then score in Python
tshark -r capture.pcap -T fields -e data > payload_hex.txt

# Good for:
- finding hidden compressed chunks
- spotting encrypted exfil blocks
- comparing streams by randomness

Basic filters

tshark -r wifi.pcap -Y wlan
tshark -r wifi.pcap -Y eapol
tshark -r wifi.pcap -Y wlan.fc.type_subtype==0x08  # beacons

WPA handshake

Look for:
- EAPOL packets
- client MAC
- AP BSSID
- SSID from beacons / probe responses

Useful tools outside tshark:
- aircrack-ng
- hcxdumptool
- hcxpcapngtool

CTF hint

Wireless PCAPs often hide:
- SSID clues
- WPA handshakes
- rogue AP / deauth patterns
- tunneled HTTP once decrypted

Suggested order

1. capinfos / tshark -q -z io,phs → know what is inside
2. tshark -q -z conv,ip / endpoints,ip → find the main talkers
3. Hunt obvious strings / credentials / tokens
4. Check HTTP, DNS, TLS SNI, SMB, FTP
5. Follow suspicious streams / export objects
6. Run zeek for structured logs
7. Run suricata for quick alerts + EVE JSON
8. Use tcpflow or payload dumping if things are split across packets
9. Entropy-check extracted files / blobs
10. If timing or beaconing matters, use RITA or a custom script

Easy misses

- only checking HTTP
- ignoring DNS
- stopping after first stream
- forgetting exports
- not checking TLS SNI

False assumptions

- high entropy != always malware
- no alert != no interesting traffic
- PCAP may start mid-session
- payload may be layered: hex → base64 → gzip

Good companions

- jq
- ripgrep / grep
- xxd
- binwalk
- foremost
- python for decoding
- your own triage script