making a pcap: a simple tutorial

Making a pcap was a surprisingly simple process. However, for future reference, I've decided to make a one stop shop guide to making a simple pcap, that can be used in making CTF challenges.

Step 1: Packet Capturing Software

There is a lot of software that allows you to capture packets. However, the one that is the most famous, and what we will be using today, is Wireshark.

If you're reading this, I assume that you already have wireshark installed, however, if you do not possess an installation of wireshark, then install it :p. If you're on linux, you can start up wireshark by either clicking on the icon, or running the command: 

kali@kali:~/gitbook$ sudo wireshark

This should open up wireshark. Alternatively, if you like a good GUI, you can simply search for wireshark and double click.

Step 2: Setting up a server

Firstly, we need to files to capture. I'll make a couple simple text files.

kali@kali:~$ cd gitbook/
kali@kali:~/gitbook$ nano test.txt
kali@kali:~/gitbook$ nano uwu.txt

After this, we can setup a webserver via the command: 

kali@kali:~/gitbook$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

We are now ready to start capturing packets in wireshark!

To capture all the packets that come through, capture using the any filter.

You may get an error saying that you don't have permissions to capture packets. If this happens, close wireshark and run sudo wireshark and then repeat the above steps.

Step 3: Capturing time!

Now wireshark has started to capture packets, navigate to http://0.0.00:8000/ in your browser.

You should find the following below(the two files i made earlier).

Now, let's click on both of these!

We can see from the output below that 3 GET requests were made. 

kali@kali:~/gitbook$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [28/Aug/2020 07:53:31] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [28/Aug/2020 07:54:51] "GET /test.txt HTTP/1.1" 200 -
127.0.0.1 - - [28/Aug/2020 07:54:57] "GET /uwu.txt HTTP/1.1" 200 -

This means we've now captured everything we wanted!

You can now stop capturing by pressing the red square at the top of wireshark.

Now, let's save the pcap!

To save a file in wireshark, you go:

  • File

  • Save As

And now you need a filename!

I named mine uwu.pcapng.

You can now safely close wireshark.

Step 4: Analysing the pcap

After looking for the pcap in your filesystem, you may find that it has a big x on the bottom right corner.

This means that you can't see this as a normal user. This is a problem, as you wont be able to send it over email, or upload to google drive. However, we can fix this!

By concatting the pcap into another file, we can get a pcap that can be opened by someone with no privs.

The command you run is found below: 

kali@kali:~/gitbook$ sudo cat uwu.pcapng > new.pcapng

This concats uwu.pcapng, and puts the output into new.pcapng. Now to check if the error is fixed.

Now, we can open this pcap as normal.

By running the command:

kali@kali:~/gitbook$ wireshark new.pcapng

the pcap is opened, yay!

If we filter by HTTP, we can see 6 packets.

If we click on the 2 packets, we can get the text data!

Anyways, i hope you've enjoyed this tutorial on how to make a pcap! If you have any questions, feel free to get in touch with me on Twitter.

PreviousAnalysing Network Packet CapturesNextnmap

Last updated