wireshark::tshark

# Protocol filters
http               # all HTTP
http2              # HTTP/2
dns                # all DNS
tcp                # all TCP
udp                # all UDP
icmp               # ICMP / ping
ftp                # FTP control
ftp-data           # FTP data transfers
smtp               # email SMTP
ssh                # SSH
ssl or tls         # TLS/SSL
telnet             # Telnet (plaintext)

# IP filters
ip.addr == 10.0.0.1
ip.src  == 10.0.0.1
ip.dst  == 10.0.0.2
ip.addr == 10.0.0.0/24     # subnet

# Port filters
tcp.port == 80
tcp.port == 4444
udp.port == 53
tcp.dstport == 443
tcp.srcport == 1337

# Boolean logic
http and ip.src == 10.0.0.1
http or dns
not arp
!(ip.addr == 10.0.0.1)

# HTTP specific
http.request.method == "POST"
http.request.method == "GET"
http.response.code == 200
http.request.uri contains "admin"
http.request.uri contains "flag"
http.request.full_uri contains "login"
http contains "password"
http contains "picoCTF"

# TCP stream
tcp.stream eq 5            # stream number 5
tcp.flags.syn == 1         # SYN packets
tcp.flags.rst == 1         # RST packets
tcp.len > 0                # non-empty TCP

# Data / content search
frame contains "flag"
data contains "picoCTF"
tcp contains "password"

# Right-click any packet → Follow → TCP Stream
# → shows full conversation as text

# Also: Follow → UDP Stream
#        Follow → HTTP Stream
#        Follow → TLS Stream (decrypted)

# Stream navigation:
# Filter box auto-fills: tcp.stream eq N
# Click through streams with arrows
# "Show data as": ASCII / Hex / Raw / Base64 / UTF-8
# "Save as" to export stream content

# Find stream with flag:
# Edit → Find Packet → String → "flag" or "picoCTF"
# Then Follow Stream to see context

# Filter to specific TCP stream (auto-applied)
tcp.stream eq 0
tcp.stream eq 1
tcp.stream eq 42

# Iterate all streams with tshark (see section 05)

# HTTP: Analyse → HTTP → HTTP Streams
# DNS: Analyse → DNS → DNS Requests
# FTP: Statistics → Conversations (filter by FTP-DATA)

# CTF pattern: credentials in plaintext stream
# Filter: http.request.method == "POST"
# → Follow HTTP Stream → see POST body with creds

# Reassemble TCP stream to file
# Follow TCP Stream → Save As → binary file

# GUI: File → Export Objects → HTTP
# → lists all files transferred over HTTP
# → "Save All" to extract everything

# Also works for:
# File → Export Objects → DICOM
# File → Export Objects → FTP-DATA   ← important for CTF
# File → Export Objects → IMF (email)
# File → Export Objects → SMB

# Export specific bytes
# Right-click Data field → Export Packet Bytes

# Statistics → Protocol Hierarchy
# → shows what protocols are present
# Good first step in CTF to understand pcap contents

# Key stats menus for CTF:

# Statistics → Protocol Hierarchy
# → quick overview of what's in the capture

# Statistics → Conversations
# → who talked to who, how much data

# Statistics → Endpoints
# → all unique IPs/MACs

# Statistics → HTTP → Requests
# → all HTTP URLs in order

# Analyze → Expert Information
# → errors, warnings, notes

# Analyze → Follow → TCP Stream (stream 0)
# then cycle through with ← → arrows

# Read pcap file
tshark -r capture.pcap

# Apply display filter
tshark -r capture.pcap -Y "http"
tshark -r capture.pcap -Y "tcp.port == 4444"

# Print specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst
tshark -r capture.pcap -Y http -T fields \
  -e http.request.method -e http.request.full_uri

# Print as JSON
tshark -r capture.pcap -T json | jq .

# Count packets by protocol
tshark -r capture.pcap -q -z io,phs

# Extract HTTP objects
tshark -r capture.pcap --export-objects http,./out/

# Follow TCP stream N
tshark -r capture.pcap -q -z "follow,tcp,ascii,0"  # stream 0
tshark -r capture.pcap -q -z "follow,tcp,raw,5"    # hex, stream 5

# Extract all TCP streams (loop)
NSTREAMS=$(tshark -r capture.pcap -T fields -e tcp.stream \
  2>/dev/null | sort -un | tail -1)
for i in $(seq 0 $NSTREAMS); do
  tshark -r capture.pcap -q -z "follow,tcp,ascii,$i" \
    2>/dev/null > stream_$i.txt
done

# Search all streams for flag
grep -l "picoCTF" stream_*.txt

# List all DNS queries
tshark -r cap.pcap -Y dns -T fields -e dns.qry.name | sort -u

# List all HTTP URIs
tshark -r cap.pcap -Y http.request -T fields \
  -e http.request.full_uri

# Extract POST bodies
tshark -r cap.pcap \
  -Y 'http.request.method == "POST"' \
  -T fields -e http.file_data

# Find all credentials (basic auth)
tshark -r cap.pcap -Y "http.authorization" \
  -T fields -e http.authorization

# Unique IPs talking to port 80
tshark -r cap.pcap -Y "tcp.dstport==80" \
  -T fields -e ip.src | sort -u

# Data length histogram (data exfil via size?)
tshark -r cap.pcap -T fields -e data.len | sort | uniq -c

# If you have an SSL/TLS key log file (SSLKEYLOGFILE):
# Edit → Preferences → Protocols → TLS
# → (Pre)-Master-Secret log filename: path/to/ssl.log

# Generate key log while capturing:
SSLKEYLOGFILE=./ssl.log firefox &
SSLKEYLOGFILE=./ssl.log curl https://target/

# tshark with key log:
tshark -r capture.pcap \
  -o "tls.keylog_file:./ssl.log" \
  -Y http -T fields -e http.request.full_uri

# Data hidden in DNS subdomain queries
# e.g.: 6869666c6167.evil.com = hex-encoded "hiflag"

tshark -r cap.pcap -Y dns -T fields -e dns.qry.name \
  | grep "evil\.com" \
  | awk -F. '{print $1}' \
  | xxd -r -p

# Or base32/base64 encoded:
tshark -r cap.pcap -Y dns -T fields -e dns.qry.name \
  | grep "attacker" | awk -F. '{print $1}' \
  | base32 -d 2>/dev/null

# ICMP data exfil
tshark -r cap.pcap -Y icmp -T fields -e data.data \
  | xxd -r -p 2>/dev/null | strings