Unpacking Network Traffic: Analyzing PCAP File with Wireshark.

The PCAP file I’m analyzing comes from a recent Capture the Flag (CTF) cybersecurity challenge I attended, held in a nearby town. This CTF required finding specific information (flag) to register for the upcoming next year (2025) event looking through the http request, and I’ll be working through it using my Linux VM, a few native tools, and, of course, Wireshark.

Intro ( PCAP & WireShark):

• PCAP is a binary file that stores network traffic data in a strcutured way. PCAP stands for packet capture, which is the process of intercepting and recording data packets that make up the network traffic and they’re used to analyze network traffic which is what we are going to in here.
• Wireshark is a free, open-source network protocol analyzer that capture live network traffic and displays it in real time. Its also use to troubleshoot network issues in the IT/Tech world and analyzes network protocols, etc.

Setting Up (Development Environment)

• The pcap file is store in the download folder of my Kali and I am going to spin a python http server to host the file locally.
• Make to install Wireshark using this command: sudo apt install wireshark -y
• we can use the $ python3 -m http.server 8080 ( to host the file/s from the kali machine) and use either wget/curl to download to my Ubuntu desktop like so curl -O http://192.168.1.144:8080/packet_capture.pcapng

• We can also use our browser to download the file by visiting the file hosting server’s ip (http://ip:8080/)

• Now that we done with this step, lets upload this file into our Wireshark from the terminal.
• $ sudo wireshark packet_capture.pcapng (filename being the pcap file we downloaded earlier).

Basic Packet Analysis

• We can identify what we’re looking for (abnormalities) by diving deep into details like source IP, destination IP, port, and protocols, as shown in the image above. These details will be essential for our investigation.
• But in todays we will only be focusing one protocol (http)
• HTTP stands for Hypertext Transfer Protocol, which is the standard web protocol that allows clients, like browsers, and web servers to communicate with each other.

Filtering Traffic

• Now, let’s filter for ‘http’ using the filter input box in the Wireshark search bar.
• We can make things easier by using the ‘http.accept’ filter in there and focus the thing we only looking for.

After clicking the http stream we can see clear communication request between the two parties.

I looked into each one of them until I saw a URL at the end of the request coming from the other party. I visited the website and found what appears to be an encoded Base64 string.

• We can slap our cipher string inside this script when it prompt to ask us.

• As we can see, we received the code to register for next year’s cybersecurity event, but we need the website to complete the registration. I believe it’s going to be in those HTTP requests, and we just have to keep looking for it until we find the right one.
• I dove deeper and found another encoded cipher. I used my script and commands to extract the raw data, which included the website for registration. Since I already have the flag, I’m going to register for the event for free.

In conclusion, using Wireshark to analyze the PCAP file was a great learning experience. By looking closely at the HTTP requests, I found some important encoded data. This helped me discover the registration link for the upcoming cybersecurity event. My work paid off, and I ended up with a free ticket to the event. This challenge showed me how valuable packet analysis is in cybersecurity.