- Su Yucheng
- 031803108
1. Experimental purpose
- Master the use of Wireshark and be able to use Wireshark for simple protocol analysis
- Proficient in defining Wireshark filters to find the required information from data packets
2. Experimental principles
Wireshark is a graphical interface network sniffer that supports multiple platforms. As an open source project, it has been improved by many developers. Wireshark has become one of the most used network security tools.
Use Wireshark to analyze data packets. The basic process includes four parts: data packet filtering, data packet search, data packet restoration, and data extraction.
The packet filtering function is the core function of wireshark. For example, you can filter packets based on specific values such as IP address, MAC address, port, etc. For example, enter the command ip.dst==202.106.3.25, and you can filter out the packets with the destination IP of 202.106.3.25. data pack. You can also filter packets by specific protocols such as HTTP, Telnet, etc., for example:
- Specify the filtering of traffic packets whose HTTP request method is GET: http.request.method== "GET"
- Specify the filtering of traffic packets whose HTTP request method is POST: http.request.method=="POST"
- The HTTP request or response contains specific content: http contains "FLAG", filtering traffic packets containing FLAG in the HTTP content
- http.request.uri==“/img/logo-edu.gif” will filter the traffic packets whose HTTP request URL is /img/logo-edu.gif
Wireshark's search function supports regular expressions, strings, hexadecimal and other methods for searching. Under normal circumstances, you can press "Ctrl+F" directly on the wireshark interface and use string methods to perform keyword searches. The search bar provides three options: group list, group details, and group byte stream, allowing you to select different options to further search the data packet content.
Data packet restoration: Wireshark has the function of tracking data flow, which can collect and restore HTTP or TCP traffic into original data. For example, select the data packet you want to restore, right-click the menu and select "Track Flow" → TCP Flow/UDP Flow/SSL Flow/ HTTP flow, you can see the restored traffic information in the pop-up window
Wireshark supports extracting the contents of files transmitted (uploaded/downloaded) via HTTP as follows:
Select the HTTP file transfer traffic package, find the data or Line-based text data:text/html layer in the group details, right-click the menu and select Export grouped byte stream, and finally click the Save as button to export the file
Therefore, in practical applications, you can first use the filtering rules in the form of protocol contains "key" to filter out the specified protocol data packets containing the string key, and then select "Track Flow" from the right-click menu of these data packets; tracking traffic requires patience. Analyze, pay special attention to looking for files that may hide key information, such as HTML files, compressed files, script files, text files, image files, etc., and export the file content for analysis as needed. For more information on how to use wireshark, see the reference link and wireshark official user guide https://www.wireshark.org/docs/wsug_html_chunked/
3. Experimental topics
Analyze the traffic and obtain a string in the format: flag_hctf{xxxxxxx}
Tip: Trace the TCP flow, find the python script, read, modify and execute the script to get the flag
4. Experimental environment
- Windows 7 system or above, host connected to the Internet
- Tools required: wireshark
- Reference links:
- https://blog.csdn.net/CliffordR/article/details/82749382
- https://www.freebuf.com/column/155600.html
5. Experimental procedures and results
Search for pages related to flag
Save web page to open
Parse md5 code
Get a list of URLs to open
Scan the code to get
