Ask Your Question

Looking for a file

asked 2019-12-08 21:45:42 +0000

AlexKaos gravatar image

Hi everyone, I'm trying to find a file within a pcap, but no luck. I've used NetworkMiner to find files in other pcaps. I've also seen what the file transfer looks like by following each stream. But the pcap I'm working with doesn't look anything like that. There are a ton of TCP RST, SYN, SYN/ACK, and ACK flags all over the place if that helps. This is for a CTF so I'm not looking for anyone to just give me the answer, but any pointers would be much appreciated.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2019-12-09 00:01:11 +0000

SYN-bit gravatar image

One way I start is by using the filter tcp.len>0 to view only the TCP packets with payload. That will remove all the SYN, RST and ACK packets that might confuse you. Then you can also use statistics -> conversations (TCP tab) and enable "Limit to display filter" to get an overview of how much data was transferred in the sessions that do have payload data.

Is there a (public) link to the pcap file to look at?

edit flag offensive delete link more


Awesome thanks, I'll try that. There isn't a public link to the pcap file, I could upload it to google drive and share it that way.

AlexKaos gravatar imageAlexKaos ( 2019-12-09 00:07:15 +0000 )edit

That did help filter out the ambiguity. But I'm still not seeing the file, also, the CTF is over now so I'll provide a bit more info. The goal of that particular question was to find the file, and calculate the md5 hash (which is the flag).

AlexKaos gravatar imageAlexKaos ( 2019-12-09 03:15:01 +0000 )edit

Nice one... Is the answer e0fb946c...258c22a1 (not posting the whole MD5 to not spoil the challenge)?

SYN-bit gravatar imageSYN-bit ( 2019-12-09 12:01:10 +0000 )edit

That's probably it, I have no way to verify now. I must be missing some information though, I can tell that there was a lot of data transferred, and I've applied the filters, but clearly the file is obfuscated somehow because it's not listed anywhere as "file.exe" or whatever. Why is it that I'm not seeing a straightforward file transfer?

AlexKaos gravatar imageAlexKaos ( 2019-12-09 14:26:17 +0000 )edit

answered 2019-12-09 03:37:18 +0000

Chuckc gravatar image
  1. One of the best Wireshark tips (not sure who to credit) is to turn the colors off.
    All the red packets can be a red herring. :-)

  2. Work down through the Statistics menus - Protocol Hierarchy, Conversations, Endpoints.
    There is a port scan mixed in - filter those packets out and the capture gets clearer.

  3. Filter out any protocols that probably aren't being used to transfer data.
    Double check before excluding since data is sometimes tunneled through these "other" protocols.
    (Filtering out the port scan and ancillary protocols cut about 2500 packets out of the display.)
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-12-08 21:45:42 +0000

Seen: 21,252 times

Last updated: Dec 09 '19