| name | networking |
| description | Analyzes network traffic and exploits protocols. Use when working with PCAP files, Wireshark captures, packet analysis, protocol exploitation, traffic forensics, or data exfiltration detection. |
| allowed-tools | Bash, Read, Write, Grep, Glob |
Networking Skill
Quick Workflow
Progress:
- [ ] Get protocol overview (tshark -z io,phs)
- [ ] Search strings for flag pattern
- [ ] Export HTTP/SMB objects
- [ ] Follow interesting streams
- [ ] Check for credentials/exfiltration
- [ ] Extract flag
Quick Analysis Pipeline
# 1. Basic info
capinfos capture.pcap
file capture.pcap
# 2. Protocol hierarchy
tshark -r capture.pcap -z io,phs
# 3. Conversations
tshark -r capture.pcap -z conv,tcp
# 4. Quick string search
strings capture.pcap | grep -i flag
tshark -r capture.pcap -Y "frame contains flag"
Reference Files
Tools Quick Reference
| Tool |
Purpose |
Install |
| Wireshark |
GUI packet analysis |
brew install wireshark |
| tshark |
CLI packet analysis |
brew install wireshark |
| tcpdump |
Packet capture |
Built-in |
| tcpflow |
TCP stream extraction |
brew install tcpflow |
| nmap |
Port scanning |
brew install nmap |
| masscan |
Fast port scanning |
brew install masscan |
| scapy |
Packet manipulation |
pip install scapy |
Scapy Quick Reference
from scapy.all import *
# Read PCAP
packets = rdpcap('capture.pcap')
# Filter packets
http_packets = [p for p in packets if TCP in p and p[TCP].dport == 80]
# Extract data
for p in packets:
if Raw in p:
print(p[Raw].load)