Tags:流量分析,ICMP,data_len,pyshark
0x00. 题目
附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件
附件名称:20250919_QQ_ICMP.zip
0x01. WP
1. 流量分析
整个流量包仅涉及ICMP协议,每次请求仅在data_len发生变化
2. 编写脚本提取数据
wireshark_exp.py
# -*- coding: utf-8 -*-
import pyshark, os, re,time
import base64# Author: Jason.J.Hu
# Create : 2023/12/11# 初始化全局参数,包括流量包名称,tshark位置
strCapPath = "icmp.pcapng"
strTsharkPath = "D:\\=Green=\\Wireshark\\App\\Wireshark\\"# Wireshark过滤表达式,提高数据包分析效率,过滤掉无效请求
strFomula=''cap = pyshark.FileCapture(strCapPath, display_filter=strFomula,tshark_path=strTsharkPath)print(time.strftime("%H:%M:%S", time.localtime()), "流量分析开始 ... ...")# 协议结构分析开始
print("协议结构分析开始...")
i=0
for layer in cap[0].layers:print("第",i+1,"层:",layer.layer_name)print(layer.field_names)i+=1
print("协议结构分析完成。")
print("=" * 16)# 流量内容分析开始
lstResult=['','','','']
sFlag=""
for pkt in cap:intRequestNumber = pkt.numberprint("\r\tFrame Number: %s ..." % str(intRequestNumber), end="")print("icmp.data_len: ",pkt.icmp.data_len)lstResult.append(chr(int(pkt.icmp.data_len)))print("\r")
sFlag="".join(lstResult)
print(sFlag)
print("\r")
print(base64.b64decode(sFlag).decode())
print(time.strftime("%H:%M:%S", time.localtime()), "分析结束。")# ZmxhZ3tlMmRlMThkOS03N2M3LTRlNGEtYWNjMS02ODkxZWQ2MzU2NjV9
# flag{e2de18d9-77c7-4e4a-acc1-6891ed635665}
最终得到flag为flag{e2de18d9-77c7-4e4a-acc1-6891ed635665}
