Articles

Wireshark CTF Workflow: Solve Network Forensics Challenges (2026)

April 6, 2026 5 min read

When you’re staring down a Wireshark CTF challenge, the real magic isn’t just about spotting packets; it’s about turning a deluge of data into a coherent narrative of an attack or an exfiltration.

Let’s say you’ve downloaded a PCAP file and opened it in Wireshark. You’re presented with thousands, maybe millions, of packets. Where do you even start? The immediate temptation is to just scroll and look for something interesting, but that’s a recipe for burnout. Instead, think of the PCAP as a crime scene, and you’re the detective. Your first move is always to get a lay of the land.

The most surprising thing about network forensics in CTFs is that the "obvious" protocols are rarely where the critical data lies. Everyone looks at HTTP and DNS. The real treasures are often buried in less common protocols, or even within seemingly innocuous data streams.

Imagine a challenge where you’re told an attacker exfiltrated data. You open the PCAP. What do you do?

  1. Initial Triage: The Big Picture

    • Command: tshark -r your_capture.pcap -q -z io,tree
    • What it does: This tshark command (the command-line version of Wireshark) gives you a hierarchical summary of all protocols present in the capture and their relative traffic volumes. It’s like getting a bird’s-eye view of the network activity.
    • Why it works: You’re looking for anomalies. Is there a massive amount of traffic on a protocol you wouldn’t expect? Is there a strange protocol showing up at all? This immediately tells you where to focus your attention. For example, if you see a huge amount of ICMP traffic, or a lot of data over TFTP, that’s a red flag.

  2. Filter for Suspicious Protocols or Hosts

    • Example Filter: tcp.port == 6667 (IRC) or udp.port == 5353 (mDNS, often abused) or smb (Windows file sharing, common for lateral movement).
    • What it does: Once io,tree points you to something, you start filtering. These filters isolate traffic related to specific protocols or ports that are commonly used for malicious activity or data exfiltration.
    • Why it works: Attackers often use less conventional channels to hide their tracks. IRC, for instance, has been a classic C2 (Command and Control) channel for decades. SMB can be used to spread malware or copy sensitive files.

  3. Follow the Stream: Reconstructing Conversations

    • Action: Right-click on a suspicious packet and select "Follow" -> "TCP Stream" (or "UDP Stream," "HTTP Stream," etc.).
    • What it does: This reconstructs the entire conversation between two endpoints for that specific protocol. Wireshark assembles the fragmented packets into a readable format.
    • Why it works: This is where you often find the actual commands sent to a compromised machine, the data being uploaded, or the credentials being stolen. For HTTP, you’ll see requests and responses. For TCP, you’ll see raw data.

    Let’s illustrate with a common scenario: Data Exfiltration via DNS.

    • The Problem: An attacker wants to steal sensitive data but can’t use standard channels due to firewalls. They decide to encode the data within DNS queries.
    • Your Workflow:
      1. Initial Triage: Run tshark -r capture.pcap -q -z io,tree. You might see a lot of DNS traffic, which is normal. However, you might also notice a very large number of outgoing DNS queries to a specific, possibly unusual, domain.
      2. Filter for DNS: Apply the filter dns.
      3. Look for Anomalies in DNS:
        • Command: tshark -r capture.pcap -Y "dns.qry.name contains 'suspicious.com'" -T fields -e frame.time -e dns.qry.name -e dns.qry.type
        • What it does: This command lists the timestamp, the full query name, and the query type for all DNS requests to a specific domain.
        • Why it works: You’re looking for extremely long subdomains. Normal DNS queries are short (e.g., www.google.com). If you see something like data1.partA.partB.etc.suspicious.com, that’s a strong indicator of encoded data. The dns.qry.type will likely be TXT or CNAME for larger data chunks, though sometimes it’s even encoded in A/AAAA records.
      4. Follow the DNS Stream (or Extract):
        • Action: In Wireshark GUI, filter for dns.qry.name contains "suspicious.com". Right-click on one of these packets and select "Follow" -> "DNS Conversation."
        • Alternative (tshark): tshark -r capture.pcap -Y "dns.qry.name contains 'suspicious.com'" -T fields -e dns.qry.name (and then manually piece it together or use a script).
        • Why it works: By concatenating all the subdomain parts from these long queries, you can reconstruct the exfiltrated data. The attacker would have a script to encode data into these subdomains on their end, and you need a similar script (or manual effort) to decode it.

    Another Example: Command and Control (C2) via IRC

    • The Problem: A compromised machine is receiving commands from an attacker over an IRC channel.
    • Your Workflow:
      1. Initial Triage: tshark -r capture.pcap -q -z io,tree. Look for IRC traffic (port 6667 is standard).
      2. Filter for IRC: Apply the filter irc.
      3. Follow the Stream: Right-click on an IRC packet and select "Follow" -> "TCP Stream."
      4. Analyze the Stream: You’ll see IRC commands like NICK, USER, JOIN, PRIVMSG. The PRIVMSG commands are where the attacker sends commands to the bot (the compromised machine) and where the bot might report back. You’ll be looking for commands like !whoami, !ls, !download <file>, or encoded shell commands.

    Key Takeaways for CTF Wireshark:

    • Don’t Get Lost in the Noise: Use io,tree and protocol-specific filters to narrow your focus immediately.
    • Follow the Stream is Your Best Friend: This is how you see the actual data being exchanged.
    • Think Like an Attacker: Where would they hide data? What protocols are easy to abuse? (DNS, ICMP, even HTTP POSTs with unusual content types).
    • Combine Tools: tshark for quick analysis and scripting, Wireshark GUI for interactive exploration.
    • Decode, Decode, Decode: Often, the data isn’t plain text. It’s base64 encoded, hex encoded, or hidden in plain sight within protocol fields. Look for common encoding patterns.

    The most critical skill in Wireshark CTFs is pattern recognition. Once you’ve seen a few common exfiltration or C2 techniques, you’ll start spotting them faster. The next challenge you’ll likely encounter is dealing with encrypted traffic, where you’ll need to find the keys or decrypt using Wireshark’s capabilities.

More Deep Dives in Wireshark

Want structured learning?

Take the full Wireshark course →