making a pcap: a simple tutorial
Making a pcap was a surprisingly simple process. However, for future reference, I've decided to make a one stop shop guide to making a simple pcap, that can be used in making CTF challenges.
Step 1: Packet Capturing Software
There is a lot of software that allows you to capture packets. However, the one that is the most famous, and what we will be using today, is Wireshark.
If you're reading this, I assume that you already have wireshark installed, however, if you do not possess an installation of wireshark, then install it :p. If you're on linux, you can start up wireshark by either clicking on the icon, or running the command:
kali@kali:~/gitbook$ sudo wireshark
This should open up wireshark. Alternatively, if you like a good GUI, you can simply search for wireshark and double click.
Step 2: Setting up a server
Firstly, we need to files to capture. I'll make a couple simple text files.
kali@kali:~$ cd gitbook/
kali@kali:~/gitbook$ nano test.txt
kali@kali:~/gitbook$ nano uwu.txt
After this, we can setup a webserver via the command:
kali@kali:~/gitbook$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
We are now ready to start capturing packets in wireshark!
To capture all the packets that come through, capture using the any
filter.

Step 3: Capturing time!
Now wireshark has started to capture packets, navigate to http://0.0.00:8000/
in your browser.
You should find the following below(the two files i made earlier).

Now, let's click on both of these!
We can see from the output below that 3 GET requests were made.
kali@kali:~/gitbook$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [28/Aug/2020 07:53:31] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [28/Aug/2020 07:54:51] "GET /test.txt HTTP/1.1" 200 -
127.0.0.1 - - [28/Aug/2020 07:54:57] "GET /uwu.txt HTTP/1.1" 200 -
This means we've now captured everything we wanted!
You can now stop capturing by pressing the red square at the top of wireshark.

Now, let's save the pcap!
To save a file in wireshark, you go:
File
Save As
And now you need a filename!
I named mine uwu.pcapng.
You can now safely close wireshark.
Step 4: Analysing the pcap
After looking for the pcap in your filesystem, you may find that it has a big x on the bottom right corner.

This means that you can't see this as a normal user. This is a problem, as you wont be able to send it over email, or upload to google drive. However, we can fix this!
By concatting the pcap into another file, we can get a pcap that can be opened by someone with no privs.
The command you run is found below:
kali@kali:~/gitbook$ sudo cat uwu.pcapng > new.pcapng
This concats uwu.pcapng, and puts the output into new.pcapng. Now to check if the error is fixed.

Now, we can open this pcap as normal.
By running the command:
kali@kali:~/gitbook$ wireshark new.pcapng
the pcap is opened, yay!
If we filter by HTTP, we can see 6 packets.

If we click on the 2 packets, we can get the text data!


Anyways, i hope you've enjoyed this tutorial on how to make a pcap! If you have any questions, feel free to get in touch with me on Twitter.
Last updated
Was this helpful?