Wireshark for Hackers: How to Capture and Analyze Hidden Flags

Por

If you have ever participated in a Capture The Flag (CTF) competition, you have likely encountered a file named capture.pcap or traffic.pcapng.

For many beginners, opening this file is like staring into the Matrix. You are greeted by a wall of colorful lines, rapidly scrolling numbers, and cryptic protocol names like TCP, TLS, ACK, and PSH. It is overwhelming. It is chaotic. And it is arguably the most critical skill you can learn in cybersecurity.

Wireshark is the world’s foremost network protocol analyzer. In the corporate world, it is used to troubleshoot slow networks and debug applications. But in the hacker’s world, it is a digital X-ray machine. It allows you to see exactly what happened on the wire—every password sent, every image downloaded, and every secret flag transmitted.

In this guide, we are going to move past the “basic tutorial” phase. I am not just going to tell you what the buttons do. I am going to walk you through a real CTF scenario. We will take a raw packet capture, slice through the noise, and extract a hidden flag using professional forensic techniques.

The Mental Model: Packets Don’t Lie

Before we touch the tool, you need to understand the philosophy. Logs can be deleted. Files can be hidden. Malware can erase itself from the disk. But network traffic is immutable.

If a hacker sends a command to a server, that command must travel across the network. If a user downloads a secret document, the bytes of that document must pass through the wire. Wireshark captures these fleeting moments and freezes them in time.

In a CTF “Forensics” or “Network” challenge, your job is usually to find one of three things:

  1. Credentials: Usernames and passwords sent in cleartext.
  2. Files: Images, ZIPs, or executables transferred over the network.
  3. Hidden Communications: Data hidden inside seemingly normal packets (steganography or tunneling).

Let’s load up our imaginary challenge.pcap and start hunting.

Step 1: The Initial Survey (Protocol Hierarchy)

When you first open a large PCAP file, do not start scrolling. That is a rookie mistake. A capture might contain 50,000 packets. Scrolling is useless.

You need a bird’s-eye view. Go to Statistics > Protocol Hierarchy.

This window is your best friend. It breaks down the traffic by percentage.

  • Do you see 90% TCP traffic? Good, that’s standard.
  • Do you see a weird spike in ICMP (Ping) traffic? That’s suspicious (could be a tunneling attack).
  • Do you see FTP or Telnet? Jackopt. These are cleartext protocols.
  • Do you see HTTP? This is where file transfers usually happen.

The Strategy: If I see “Line-based text data” under TCP, I know there is human-readable chat or commands. If I see “Data” under UDP, it might be a custom protocol. For our scenario, let’s assume the Protocol Hierarchy shows a mix of HTTP, TCP, and a little bit of FTP.

Step 2: The Power of Filtering (Cutting the Noise)

The filter bar at the top of Wireshark is your sniper rifle. You need to memorize a few key operators to be effective.

Basic Filters

  • http: Only shows HTTP traffic.
  • tcp.port == 21: Only shows FTP control traffic.
  • ip.addr == 192.168.1.5: Only shows traffic coming from or going to this IP.

The “Hacker” Filters

These are the ones that actually win CTFs:

1. frame contains "flag" This is the “Hail Mary” filter. It searches the content of every single packet for the string “flag”. If the challenge creator got lazy and sent the flag in cleartext, this will find it instantly.

  • Variations: frame contains "CTF", frame contains "pass", frame contains "admin".

2. http.request.method == "POST" Flags are often submitted via login forms. A login form is almost always a POST request. This filter hides all the “GET” requests (loading images, CSS, etc.) and shows you only the data being sent to the server.

3. dns.qry.name contains "hackthedome" DNS traffic can reveal what websites the user visited. If you see a DNS query for secret-flag-server.internal, you know exactly where to look next.

Step 3: Following the Stream (Reconstructing the Story)

This is the feature that blows beginners’ minds. Looking at individual packets is like trying to read a book by looking at a pile of shredded paper strips. You need to tape them back together.

Wireshark does this with “Follow TCP Stream”.

The Scenario: You filter by http and see a GET request for login.php. You want to know what happened next.

  1. Right-click on that packet.
  2. Select Follow > TCP Stream.

What just happened? Wireshark hides all other traffic. It grabs every packet involved in that specific conversation between the client and the server and reassembles them into a readable format.

  • Red Text: Client (what the user sent).
  • Blue Text: Server (what the computer replied).

In a CTF, this is where you often find the “Golden Ticket.” You might see:

POST /login.php HTTP/1.1
Host: 10.10.10.5
User-Agent: Mozilla/5.0...
username=admin&password=SuperSecurePassword123!

If you see this, you have found the credentials. But what if the flag isn’t a password? What if it’s a file?

Step 4: Extracting Files (Digital Archaeology)

Hackers love to hide flags inside images or zip files. If a user downloads a picture of a cat over HTTP, the bytes of that cat picture are inside the PCAP file. You can reconstruct the image.

The Manual Way (Hard Mode): You could follow the stream, set the data display to “Raw,” copy the hex bytes starting from the JPEG header (FF D8), and paste them into a hex editor. But there is a faster way.

The Automated Way (Wireshark Magic): Go to File > Export Objects > HTTP.

This opens a window listing every single file transferred over HTTP in the capture.

  • style.css
  • logo.png
  • secret_backup.zip <– Bingo.

Select the file and click Save. Now you have the file on your desktop. You try to unzip secret_backup.zip, but it prompts you for a password.

We are not done yet. We need to go back to the capture to find the key.

Step 5: Cross-Protocol Analysis

We have a locked zip file. We need a password. We know the user downloaded the zip via HTTP, but maybe they negotiated the password somewhere else?

Let’s clear our filters and look at FTP (File Transfer Protocol). Filter: ftp

We see a conversation: Response: 220 (vsFTPd 3.0.3) Request: USER anonymous Request: PASS anonymous@ Response: 230 Login successful.

Nothing interesting here—just an anonymous login. But wait. Let’s look at the FTP-DATA channel. FTP uses two ports: port 21 for commands (which we just saw) and port 20 (or a random high port) for the actual data transfer.

If you only filter for ftp, you might miss the file contents. Better filter: tcp.port == 21 || ftp-data

Alternatively, let’s look for Telnet. Telnet is an ancient, unencrypted remote administration protocol. Filter: telnet

We see a few packets. Right-click > Follow TCP Stream.

The Output:

Trying 192.168.1.5...
Connected to 192.168.1.5.
Escape character is '^]'.

Ubuntu 18.04 LTS
login: developer
Password: hunter2

$ cat note.txt
Hey, I uploaded the backup to the web server.
The zip password is: Th3_P4ck3t_N3v3r_L13s

There it is.

  1. We extracted the ZIP using Export Objects.
  2. We found the password by analyzing a Telnet Stream.
  3. We unzip the file to find flag.txt.

The Flag: CTF{W1r3sh4rk_D33p_D1v3_Succ3ss}

Advanced Technique: Searching for Hex Signatures

Sometimes the flag isn’t in a file or a chat. It’s hidden in the raw bytes of a custom protocol or a malformed packet.

In Wireshark, press Ctrl + F to open the search bar. Change the dropdown from “Packet list” to “Packet bytes”. Change “Narrow & Wide” to “Hex Value”.

Now you can search for “Magic Bytes” (file signatures).

  • JPEG Image: Search for ff d8 ff
  • PNG Image: Search for 89 50 4e 47
  • ZIP File: Search for 50 4b 03 04

If a hacker extracted data over a covert channel (like hiding data in the padding of ICMP packets), searching for these file headers in the raw bytes will highlight the exact packet where the file begins.

Conclusion: Practice Makes Perfect

Wireshark is a tool that rewards curiosity. The more you use it, the more you begin to see the “matrix” behind the internet. You stop seeing “loading a webpage” and start seeing the 3-Way Handshake, the DNS query, the SSL Hello, and the HTTP GET.

For your next CTF, do not be afraid of the .pcap file.

  1. Check the Protocol Hierarchy.
  2. Filter for HTTP and POST requests.
  3. Follow the Streams to read the conversations.
  4. Export Objects to grab the files.

The network traffic tells a story. Your job is simply to read it.

Ready to test your skills? Go to WiresharkSampleCaptures (Google it) or download the “Forensics” challenges from Hack The Box. Open a random capture and ask yourself: “What is this user doing?”

The answer is always in the packets.