Network traffic research

Especially for future students of the course “Network engineer. Basic “ our expert – Alexander Kolesnikov has prepared an interesting author’s material.

We also invite you to take part in an open online lesson on the topic “STP. What? What for? Why?”… The participants of the lesson, together with an expert, will review the STP protocol, analyze the logic of its operation, and analyze its advantages and disadvantages.

This article will tell you how you can work with network traffic. Using the example of several dumps of network traffic, the work of several useful tools will be analyzed, and approaches to extracting and collecting information from traffic are shown.

Instrumentation and research methodology

We will use the following software to parse the traffic:

All tools do not need a particularly detailed introduction, as they are one-of-a-kind free traffic solutions. First two tshark and wireshark generally provided as part of the same solution. Both tools allow you to record and parse traffic in terms of statistics, transmitted data and protocol structures.

Let’s try using these tools on recorded network traffic. All traffic is taken from various resources and collected here here, so the reader, if desired, can independently analyze them according to the instructions from the article.

Disclamer: All traffic files come from various CTF contests, all assignment rights belong to their authors.

To study traffic, we will adhere to the minimum strategy:

  1. Determine the number of network participants;

  2. Determine the protocol stack used;

  3. Based on point 2, make a decision to search for data in descending order of popularity of traffic usage;

  4. If it turns out that the data that is transmitted in the traffic was not processed with additional coding, then apply a text filter.

Examples of traffic analysis

The first task to parse:

1.pcap(9cd84b46fee506dae818ecdca76607d1)… The task is to find data that will contain information of the form "FLAG-???????????"… Let’s start with the analysis. Let’s walk through the method described in the last paragraph:

The number of participants in the network is very easy to determine using WireShark (Everything described for this tool can be repeated on tshark… The author uses WireShark for clarity). In WireShrak options, select “Statistics-> Endpoints”:

In total, we have 8 unique IP addresses that participated in the interaction. Let’s define a protocol stack. This can be done in the same menu “Statistics-> Protocol Hierarchy”:

So, the most popular communication protocol is http. This protocol inside the file pcap is stored in textual representation so you can try to show all data from body sent data and filter the data by the format of the desired string. Let’s try to do this with tshark… The command for the filter will look like this:

```  tshark -r ./1.pcap -Y http -Tfields -e http.file_data | grep "FLAG"```

As a result, we get the result:

The second file for research is 2.pcap (9a67e1fb9e529b7acfc6e91db6e1b092)… Let’s carry out the research stages. Number of interaction participants:

In this case, there are 13 participants – the task becomes more difficult. What protocols are used:

Unfortunately, this time everything is not so simple with the protocols used for data transfer. Among the information sent through the tcp protocol, nothing interesting was found for our task. In udp, there is something interesting:

``` tshark -r ./2.pcap -Y 'dns' ```

However, if we pay attention to the resolution of local addresses through dns, then we can find the following picture:

The weird part of the ip address that looks a lot like some encoded hexadecimal characters. Let’s try to pass them through the encoding:

```tshark -r ./2.pcap -Y '!icmp.code && contains 192.168' -Tfields -e | tr '.' ' ' |awk '{print $1}' |xxd -r```

The resulting string is very similar to base64 encoding, decode:

``` base64 -D <<< 


We will use as the target network traffic 3.pcap(0e66830db52ad51971d40c77fa5b02c0)… Let’s analyze the number of interaction participants and the statistics of the protocols used:

It seems that this time there are fewer protocols, but there are more options for where to hide the data. Let’s try to filter data using the http protocol.

``` tshark -r ./3.pcap -Y http```

The most interesting lines are at the end of the recorded traffic, these are http requests for the “” and “secret.txt” files. Let’s dump them through Wireshark and try to open them:

Let’s try to dump a file called via WireShark. The standard interface cannot do this, so you have to make a small hack – save the data in Raw format:

We open with the already found password:

It looks like the file is damaged there is no part that contains the information we need. After a while, if you filter by the streams that are in tcp, you can come across parts of the archive fragments:

Let’s save a dump of this stream and cut out a fragment of the archive using a simple program:

 data = []
 with open('dump') as f:
     data =
with open('','w') as w:

Trying to unpack:

``` 7z x ./ ```

It looks like some of the data is not available, but we were able to recover the flag.txt file

The described technique can allow to extract information from the recorded network data. As a consolidation of the material, we suggest the reader to find the data in traffic 4.pcap(604bbac867a6e197972230019fb34b2e)

Learn more about the course “Network engineer. Basic “.

Register for a related webinar “STP. What? What for? Why?”.

Read more:

  • Linux sockets

Similar Posts

Leave a Reply