Back to Details

traffic-analysis-pcap

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: Traffic Analysis & PCAP — Expert Analysis Playbook

技能:流量分析与PCAP — 专家分析手册

AI LOAD INSTRUCTION: Expert traffic analysis and PCAP forensics techniques. Covers PCAP repair, Wireshark essential filters, protocol-specific analysis (HTTP, HTTPS/TLS, DNS, FTP, SMTP, USB HID, WiFi, ICMP), data extraction (file carving, credential harvesting, covert channels), NetworkMiner, and tshark CLI analysis. Base models miss USB keyboard decode patterns, DNS tunneling detection heuristics, and TLS decryption workflows.
AI加载说明:专业流量分析与PCAP取证技术,涵盖PCAP修复、Wireshark核心过滤规则、特定协议分析(HTTP、HTTPS/TLS、DNS、FTP、SMTP、USB HID、WiFi、ICMP)、数据提取(文件雕刻、凭证收集、隐蔽信道)、NetworkMiner使用以及tshark CLI分析。基础模型不包含USB键盘解码规则、DNS隧道检测启发式规则以及TLS解密工作流。

0. RELATED ROUTING

0. 相关关联技能

Before going deep, consider loading:
  • memory-forensics-volatility for correlating memory artifacts with network traffic
  • steganography-techniques for analyzing files extracted from traffic captures
  • network-protocol-attacks for understanding attack patterns visible in captures
  • reverse-shell-techniques for identifying shell traffic in captures
深入学习前,可考虑加载以下技能:
  • memory-forensics-volatility 用于关联内存痕迹与网络流量
  • steganography-techniques 用于分析从流量抓包中提取的文件
  • network-protocol-attacks 用于理解抓包中可见的攻击模式
  • reverse-shell-techniques 用于识别抓包中的反弹shell流量

1. PCAP REPAIR

1. PCAP修复

bash
pcapfix corrupted.pcap -o fixed.pcap           # repair corrupted PCAP
bash
pcapfix corrupted.pcap -o fixed.pcap           # 修复损坏的PCAP

Magic bytes: d4c3b2a1=pcap(LE), a1b2c3d4=pcap(BE), 0a0d0d0a=pcapng

魔术字节: d4c3b2a1=pcap(小端), a1b2c3d4=pcap(大端), 0a0d0d0a=pcapng

editcap -F pcap capture.pcapng capture.pcap # convert pcapng→pcap mergecap -w merged.pcap file1.pcap file2.pcap # merge captures

---
editcap -F pcap capture.pcapng capture.pcap # 转换pcapng→pcap格式 mergecap -w merged.pcap file1.pcap file2.pcap # 合并多个抓包文件

---

2. WIRESHARK ESSENTIAL FILTERS

2. Wireshark核心过滤规则

IP / Host Filters

IP / 主机过滤

ip.addr == 10.0.0.1                  # source or destination
ip.src == 10.0.0.1                   # source only
ip.dst == 10.0.0.1                   # destination only
ip.addr == 10.0.0.0/24              # subnet
!(ip.addr == 10.0.0.1)              # exclude host
ip.addr == 10.0.0.1                  # 源或目标IP
ip.src == 10.0.0.1                   # 仅源IP
ip.dst == 10.0.0.1                   # 仅目标IP
ip.addr == 10.0.0.0/24              # 子网范围
!(ip.addr == 10.0.0.1)              # 排除指定主机

Protocol Filters

协议过滤

http                                  # all HTTP
dns                                   # all DNS
tcp                                   # all TCP
ftp                                   # all FTP
smtp                                  # all SMTP
tls                                   # all TLS/SSL
icmp                                  # all ICMP
arp                                   # all ARP
http                                  # 所有HTTP流量
dns                                   # 所有DNS流量
tcp                                   # 所有TCP流量
ftp                                   # 所有FTP流量
smtp                                  # 所有SMTP流量
tls                                   # 所有TLS/SSL流量
icmp                                  # 所有ICMP流量
arp                                   # 所有ARP流量

TCP / Stream

TCP / 流

tcp.stream eq 5                       # follow specific TCP stream
tcp.port == 80                        # traffic on port 80
tcp.flags.syn == 1 && tcp.flags.ack == 0   # SYN packets (connection starts)
tcp.analysis.retransmission           # retransmitted packets
tcp.len > 0                           # packets with payload
tcp.stream eq 5                       # 追踪指定TCP流
tcp.port == 80                        # 80端口的流量
tcp.flags.syn == 1 && tcp.flags.ack == 0   # SYN包(连接发起)
tcp.analysis.retransmission           # 重传包
tcp.len > 0                           # 带 payload 的数据包

HTTP

HTTP

http.request.method == "POST"         # POST requests
http.request.method == "GET"          # GET requests
http.response.code == 200             # successful responses
http.response.code >= 400             # error responses
http.request.uri contains "login"     # URI contains string
http.host contains "target.com"       # specific host
http.content_type contains "json"     # JSON responses
http.cookie contains "session"        # session cookies
http.request.full_uri                 # show full URIs (column)
http.request.method == "POST"         # POST请求
http.request.method == "GET"          # GET请求
http.response.code == 200             # 成功响应
http.response.code >= 400             # 错误响应
http.request.uri contains "login"     # URI包含指定字符串
http.host contains "target.com"       # 指定域名
http.content_type contains "json"     # JSON响应
http.cookie contains "session"        # 会话cookie
http.request.full_uri                 # 显示完整URI(列字段)

DNS

DNS

dns.qry.name contains "evil.com"     # specific domain queries
dns.qry.type == 1                    # A records
dns.qry.type == 28                   # AAAA records
dns.qry.type == 16                   # TXT records
dns.flags.response == 1              # DNS responses only
dns.resp.len > 100                   # large DNS responses
dns.qry.name contains "evil.com"     # 指定域名的查询
dns.qry.type == 1                    # A记录
dns.qry.type == 28                   # AAAA记录
dns.qry.type == 16                   # TXT记录
dns.flags.response == 1              # 仅DNS响应
dns.resp.len > 100                   # 大体积DNS响应

TLS

TLS

tls.handshake.type == 1              # Client Hello
tls.handshake.type == 2              # Server Hello
tls.handshake.extensions.server_name  # SNI (hostname)
tls.handshake.type == 11             # Certificate
tls.handshake.type == 1              # Client Hello
tls.handshake.type == 2              # Server Hello
tls.handshake.extensions_server_name  # SNI(主机名)
tls.handshake.type == 11             # 证书

Content Search

内容搜索

frame contains "password"             # search in raw bytes
frame contains "flag{"                # CTF flag pattern
tcp contains "admin"                  # search in TCP payload
frame contains "password"             # 原始字节中搜索
frame contains "flag{"                # CTF flag 模式
tcp contains "admin"                  # TCP payload中搜索

3. PROTOCOL ANALYSIS

3. 协议分析

HTTP — Follow Stream & Extract

HTTP — 追踪流与提取

Right-click packet → Follow → TCP Stream
右键数据包 → 追踪 → TCP流

Shows full HTTP request/response conversation

显示完整的HTTP请求/响应会话

File extraction:

文件提取:

File → Export Objects → HTTP → Save All

文件 → 导出对象 → HTTP → 全部保存

Useful filters for credential hunting:

凭证搜寻的实用过滤规则:

http.request.method == "POST" && frame contains "password" http.request.method == "POST" && frame contains "login" http.authbasic # Basic auth (base64 encoded)
undefined
http.request.method == "POST" && frame contains "password" http.request.method == "POST" && frame contains "login" http.authbasic # Basic认证(base64编码)
undefined

HTTPS / TLS Decryption

HTTPS / TLS解密

bash
undefined
bash
undefined

Method 1: SSLKEYLOGFILE (pre-master secrets from browser)

方法1: SSLKEYLOGFILE(浏览器生成的预主密钥)

Set environment variable BEFORE opening browser:

打开浏览器前先设置环境变量:

export SSLKEYLOGFILE=/tmp/sslkeys.log firefox https://target.com
export SSLKEYLOGFILE=/tmp/sslkeys.log firefox https://target.com

Wireshark: Edit → Preferences → Protocols → TLS

Wireshark配置: 编辑 → 首选项 → 协议 → TLS

→ (Pre)-Master-Secret log filename: /tmp/sslkeys.log

→ (预)主密钥日志文件路径: /tmp/sslkeys.log

Method 2: Server private key (for RSA key exchange only)

方法2: 服务器私钥(仅适用于RSA密钥交换)

Wireshark: Edit → Preferences → Protocols → TLS → RSA keys list

Wireshark配置: 编辑 → 首选项 → 协议 → TLS → RSA密钥列表

→ Add: IP, Port, Protocol, Key file (.pem)

→ 添加: IP、端口、协议、密钥文件(.pem)

undefined
undefined

DNS — Tunneling Detection

DNS — 隧道检测

bash
undefined
bash
undefined

Indicators of DNS tunneling:

DNS隧道的特征:

1. Unusually long subdomain names (>30 chars)

1. 异常长的子域名(>30个字符)

2. High volume of TXT record queries/responses

2. 高频率的TXT记录查询/响应

3. Consistent query patterns to same domain

3. 对同一域名的查询模式高度一致

4. Base32/Base64-like subdomain strings

4. 类Base32/Base64的子域名字符串

5. High query frequency from single host

5. 单个主机的查询频率过高

Wireshark filter for suspicious DNS:

可疑DNS的Wireshark过滤规则:

dns.qry.name.len > 50 # long query names dns.qry.type == 16 # TXT records (common for tunneling) dns.resp.len > 512 # large DNS responses
dns.qry.name.len > 50 # 长查询名 dns.qry.type == 16 # TXT记录(隧道常用) dns.resp.len > 512 # 大体积DNS响应

tshark extraction:

tshark提取:

tshark -r capture.pcap -Y "dns.qry.type==16" -T fields -e dns.qry.name
undefined
tshark -r capture.pcap -Y "dns.qry.type==16" -T fields -e dns.qry.name
undefined

FTP — Credential & File Extraction

FTP — 凭证与文件提取

bash
undefined
bash
undefined

FTP credentials (plaintext)

FTP凭证(明文传输)

Filter: ftp.request.command == "USER" || ftp.request.command == "PASS"

过滤规则: ftp.request.command == "USER" || ftp.request.command == "PASS"

FTP file transfer reconstruction:

FTP文件传输重建:

FTP uses separate data channel (usually port 20 or dynamic)

FTP使用独立的数据通道(通常是20端口或动态端口)

Follow TCP stream of data connection to extract file

追踪数据连接的TCP流即可提取文件

tshark:

tshark命令:

tshark -r capture.pcap -Y "ftp.request.command==USER || ftp.request.command==PASS" -T fields -e ftp.request.arg
undefined
tshark -r capture.pcap -Y "ftp.request.command==USER || ftp.request.command==PASS" -T fields -e ftp.request.arg
undefined

SMTP — Email Content Extraction

SMTP — 邮件内容提取

bash
undefined
bash
undefined

Follow TCP stream → MAIL FROM/RCPT TO/DATA sections

追踪TCP流 → 查看MAIL FROM/RCPT TO/DATA部分

Attachments: base64 in MIME → decode Content-Transfer-Encoding blocks

附件: MIME中的base64内容 → 解码Content-Transfer-Encoding块即可

Filters:

过滤规则:

smtp.req.command == "AUTH" # authentication (often base64) smtp contains "Content-Disposition: attachment" # attachments
undefined
smtp.req.command == "AUTH" # 认证(通常是base64编码) smtp contains "Content-Disposition: attachment" # 附件
undefined

USB — Keyboard HID Capture Decode

USB — 键盘HID捕获解码

bash
undefined
bash
undefined

USB HID keyboard traffic: interrupt transfers with 8-byte data

USB HID键盘流量: 8字节数据的中断传输

Filter: usb.transfer_type == 0x01

过滤规则: usb.transfer_type == 0x01

Extract keystrokes:

提取按键记录:

tshark -r usb.pcap -Y "usb.capdata && usb.data_len == 8" -T fields -e usb.capdata > keystrokes.txt
tshark -r usb.pcap -Y "usb.capdata && usb.data_len == 8" -T fields -e usb.capdata > keystrokes.txt

HID keycode layout: byte[0]=modifier, byte[2]=keycode

HID键码布局: 字节[0]=修饰符, 字节[2]=键码

0x04=a..0x1d=z, 0x1e=1..0x27=0, 0x28=Enter, 0x2c=Space

0x04=a..0x1d=z, 0x1e=1..0x27=0, 0x28=回车, 0x2c=空格

Use Python/online HID decoder to convert keycodes → text

用Python/在线HID解码器将键码转换为文本

undefined
undefined

WiFi — WPA Handshake

WiFi — WPA握手包

bash
undefined
bash
undefined

Capture: airodump-ng --bssid AP_MAC -w capture wlan0mon

抓包: airodump-ng --bssid AP_MAC -w capture wlan0mon

Convert + crack: hcxpcapngtool -o hash.hc22000 capture.pcap

转换+破解: hcxpcapngtool -o hash.hc22000 capture.pcap

hashcat -m 22000 hash.hc22000 wordlist.txt
hashcat -m 22000 hash.hc22000 wordlist.txt

Deauth detection: wlan.fc.type_subtype == 0x0c

取消认证检测: wlan.fc.type_subtype == 0x0c

undefined
undefined

ICMP — Data Exfiltration

ICMP — 数据泄露

bash
undefined
bash
undefined

ICMP payload analysis

ICMP payload分析

Normal ping: 32 or 64 bytes of pattern data

正常ping: 32或64字节的固定模式数据

Exfiltration: meaningful data in ICMP payload

数据泄露: ICMP payload中包含有效数据

Filter:

过滤规则:

icmp && data.len > 48 # unusual ICMP payload size icmp.type == 8 # echo requests
icmp && data.len > 48 # 异常的ICMP payload大小 icmp.type == 8 # echo请求

Extract ICMP payloads:

提取ICMP payload:

tshark -r capture.pcap -Y "icmp.type==8" -T fields -e data.data

---
tshark -r capture.pcap -Y "icmp.type==8" -T fields -e data.data

---

4. DATA EXTRACTION

4. 数据提取

File Carving

文件雕刻

bash
undefined
bash
undefined

Wireshark: File → Export Objects

Wireshark: 文件 → 导出对象

Supported: HTTP, SMB, TFTP, IMF (email), DICOM

支持: HTTP、SMB、TFTP、IMF(邮件)、DICOM

Manual from reassembled stream:

从重组流手动提取:

Follow TCP Stream → Show as Raw → Save As

追踪TCP流 → 显示为原始数据 → 另存为

binwalk on exported stream data

对导出的流数据使用binwalk

binwalk -e exported_stream.bin foremost -i exported_stream.bin -o carved/
undefined
binwalk -e exported_stream.bin foremost -i exported_stream.bin -o carved/
undefined

Credential Harvesting

凭证收集

bash
undefined
bash
undefined

Plaintext: ftp || telnet || http.authbasic || smtp || pop || imap

明文: ftp || telnet || http.authbasic || smtp || pop || imap

NTLM: ntlmssp.auth.username → extract challenge/response from NTLMSSP messages

NTLM: ntlmssp.auth.username → 从NTLMSSP消息中提取挑战/响应

Hash format: user::domain:challenge:NTProofStr:blob → hashcat -m 5600

哈希格式: user::domain:challenge:NTProofStr:blob → hashcat -m 5600

undefined
undefined

Covert Channel Detection

隐蔽信道检测

Indicators: DNS with long subdomains, ICMP with large payloads, HTTP with encoded headers, regular beacon intervals (C2). Use 
tshark -q -z io,stat,1
and 
-z conv,tcp
for statistical anomaly detection.
特征:带子域名的DNS请求、带大payload的ICMP、带编码头的HTTP、固定的信标间隔(C2)。使用 
tshark -q -z io,stat,1
-z conv,tcp
进行统计异常检测。

5. NETWORKMINER

5. NETWORKMINER

bash
undefined
bash
undefined

Automated PCAP analysis: sudo apt install networkminer

自动化PCAP分析: sudo apt install networkminer

Open PCAP → auto-extracts: Files, Images, Credentials, Sessions, DNS

打开PCAP → 自动提取: 文件、图片、凭证、会话、DNS

Files tab: carved from HTTP/SMB/FTP | Credentials tab: plaintext creds

文件标签页: 从HTTP/SMB/FTP中雕刻的文件 | 凭证标签页: 明文凭证


---

---

6. TSHARK COMMAND-LINE ANALYSIS

6. TSHARK命令行分析

bash
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
tshark -r capture.pcap -Y "dns.flags.response==0" -T fields -e dns.qry.name | sort -u
tshark -r capture.pcap -Y "http.request.method==POST" -T fields -e http.file_data
tshark -r capture.pcap -q -z io,stat,1                # I/O graph
tshark -r capture.pcap -q -z conv,tcp                  # TCP conversations
tshark -r capture.pcap -q -z endpoints,ip              # IP endpoints
tshark -r capture.pcap -q -z io,phs                    # protocol hierarchy
tshark -r capture.pcap -q -z follow,tcp,ascii,0        # follow stream 0
tshark -r capture.pcap --export-objects http,/tmp/exported/
bash
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
tshark -r capture.pcap -Y "dns.flags.response==0" -T fields -e dns.qry.name | sort -u
tshark -r capture.pcap -Y "http.request.method==POST" -T fields -e http.file_data
tshark -r capture.pcap -q -z io,stat,1                # I/O统计图
tshark -r capture.pcap -q -z conv,tcp                  # TCP会话列表
tshark -r capture.pcap -q -z endpoints,ip              # IP端点列表
tshark -r capture.pcap -q -z io,phs                    # 协议层级统计
tshark -r capture.pcap -q -z follow,tcp,ascii,0        # 追踪第0号TCP流
tshark -r capture.pcap --export-objects http,/tmp/exported/

7. DECISION TREE

7. 分析决策树

PCAP file for analysis
├── File won't open?
│   ├── Check magic bytes: xxd | head (§1)
│   ├── Repair: pcapfix (§1)
│   └── Convert: editcap pcapng→pcap (§1)
├── What's in the capture? (Quick overview)
│   ├── tshark -q -z io,phs (protocol hierarchy) (§6)
│   ├── tshark -q -z conv,tcp (conversations) (§6)
│   └── tshark -q -z endpoints,ip (endpoints) (§6)
├── HTTP traffic?
│   ├── Export objects: File → Export Objects → HTTP (§4)
│   ├── Credential hunt: POST + password/login filters (§3)
│   ├── Follow streams: interesting request/response pairs (§3)
│   └── Encrypted (HTTPS)? → need SSLKEYLOGFILE or RSA key (§3)
├── DNS traffic?
│   ├── Long subdomains? → DNS tunneling (§3)
│   ├── High TXT record volume? → DNS exfiltration (§3)
│   ├── Extract all queries: tshark -Y dns -T fields -e dns.qry.name (§6)
│   └── DNS rebinding? → check for alternating A record responses
├── FTP / Telnet / SMTP?
│   ├── Extract credentials (plaintext) (§3)
│   ├── Reconstruct file transfers (follow data stream) (§3)
│   └── Email content and attachments (base64 decode) (§3)
├── USB traffic?
│   ├── Keyboard HID → decode keystrokes (§3)
│   ├── Storage → extract transferred files
│   └── Check transfer_type and data_len fields
├── WiFi traffic?
│   ├── WPA handshake → crack with hashcat (§3)
│   ├── Deauth frames → detect attack (§3)
│   └── Probe requests → device fingerprinting
├── ICMP traffic?
│   ├── Large/variable payloads → data exfiltration (§3)
│   ├── Regular pattern → ICMP tunnel (§3)
│   └── Extract payloads: tshark -Y icmp -T fields -e data.data
├── Suspicious patterns?
│   ├── Regular beacon interval → C2 communication (§4)
│   ├── Unusual port/protocol combos → covert channel (§4)
│   ├── High volume to single external IP → data exfil (§4)
│   └── Encrypted traffic without SNI → suspicious tunnel
└── Need automated extraction?
    ├── NetworkMiner for files/creds/images (§5)
    ├── tshark --export-objects for HTTP/SMB files (§6)
    └── binwalk/foremost on exported streams (§4)
待分析的PCAP文件
├── 文件无法打开?
│   ├── 检查魔术字节: xxd | head (§1)
│   ├── 修复: pcapfix (§1)
│   └── 格式转换: editcap pcapng→pcap (§1)
├── 抓包里有什么? (快速概览)
│   ├── tshark -q -z io,phs (协议层级统计) (§6)
│   ├── tshark -q -z conv,tcp (会话列表) (§6)
│   └── tshark -q -z endpoints,ip (端点列表) (§6)
├── 存在HTTP流量?
│   ├── 导出对象: 文件 → 导出对象 → HTTP (§4)
│   ├── 凭证搜寻: POST + password/login过滤规则 (§3)
│   ├── 追踪流: 感兴趣的请求/响应对 (§3)
│   └── 加密(HTTPS)? → 需要SSLKEYLOGFILE或RSA密钥 (§3)
├── 存在DNS流量?
│   ├── 长子域名? → DNS隧道 (§3)
│   ├── TXT记录请求量高? → DNS数据泄露 (§3)
│   ├── 提取所有查询: tshark -Y dns -T fields -e dns.qry.name (§6)
│   └── DNS重绑定? → 检查交替返回的A记录响应
├── 存在FTP / Telnet / SMTP?
│   ├── 提取凭证(明文) (§3)
│   ├── 重建文件传输(追踪数据流) (§3)
│   └── 邮件内容与附件(base64解码) (§3)
├── 存在USB流量?
│   ├── 键盘HID → 解码按键记录 (§3)
│   ├── 存储设备 → 提取传输的文件
│   └── 检查transfer_type和data_len字段
├── 存在WiFi流量?
│   ├── WPA握手包 → 用hashcat破解 (§3)
│   ├── 取消认证帧 → 检测攻击 (§3)
│   └── 探测请求 → 设备指纹识别
├── 存在ICMP流量?
│   ├── 大/可变payload → 数据泄露 (§3)
│   ├── 固定规律 → ICMP隧道 (§3)
│   └── 提取payload: tshark -Y icmp -T fields -e data.data
├── 存在可疑模式?
│   ├── 固定信标间隔 → C2通信 (§4)
│   ├── 异常的端口/协议组合 → 隐蔽信道 (§4)
│   ├── 发往单个外部IP的流量过高 → 数据泄露 (§4)
│   └── 无SNI的加密流量 → 可疑隧道
└── 需要自动化提取?
    ├── 用NetworkMiner提取文件/凭证/图片 (§5)
    ├── 用tshark --export-objects提取HTTP/SMB文件 (§6)
    └── 对导出的流使用binwalk/foremost (§4)