Traffic Packet Analysis

In the CTF competition, forensic analysis of traffic packets is another important direction of investigation.

Usually, a PCAP file containing traffic data is provided during the game, and sometimes the player is required to repair or reconstruct the transferred file before analyzing.

The PCAP section focuses on the direction of the investigation. The complicated part is that the data packet is filled with a large amount of irrelevant traffic information. Therefore, how to classify and filter the data is the work that the entrant needs to complete.

In general, there are the following steps

  • Overall grasp
  • Agreement rating
  • Endpoint statistics
  • Filter match selection
  • Filter syntax
  • Host, Protocol, contains, eigenvalue
  • Found an exception
  • special string
  • Agreement a field
  • flag is in the server
  • Data Extraction
  • String fetch
  • File extraction

In general, traffic analysis in the game can be summarized in the following three directions:

  • Traffic packet repair
  • Protocol analysis
  • Data Extraction