01step · watch first
Read a network recording like a story.
A quick primer on opening a network recording (a "pcap") with a tool called tshark — the same moves you'll use to find the attacker's address and the door the break-in used. Watch it through, then jump to the simulation to see the messages flowing.
▶
Lesson · Networking and Packet Analysis
~6 min
≡
Summary
what to remember
- 1A pcap is a recording. A saved copy of every message that crossed the network — what was sent, which way it went, and exactly when.
- 2Zoom in on one conversation. Most messages are noise. Pick out the one that matters with
tcp.stream eq N(N is the conversation's number). - 3Read the whole conversation back.
tshark -qz follow,tcp,ascii,4glues both sides together into one readable chat. - 4Spot a remote-control session. A connection that stays open a long time, where one side does most of the talking, with plain text like
/bin/bash -i(a command that hands over control). - 5The flag is the fingerprint. The attacker's address plus the door — e.g.
10.0.0.42:4444— the one fact you hand to the security team.
?
Quick check · before you continue
1 question · pick one
QYou're handed one network recording and asked to find the attacker's address and the door the break-in used. Which command replays a whole single conversation back as readable text?