competition-pcap-protocol
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCompetition PCAP Protocol
竞赛PCAP协议
Use this skill only as a downstream specialization after is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to first.
$ctf-sandbox-orchestrator$ctf-sandbox-orchestratorUse this skill when the decisive evidence sits inside packet order, protocol framing, or stream reconstruction rather than a single IOC or host log.
Reply in Simplified Chinese unless the user explicitly requests English.
仅可在已激活并确定沙箱假设、节点归属和证据优先级后,作为下游专属技能使用本技能。如果还未满足上述前置条件,请先返回。
$ctf-sandbox-orchestrator$ctf-sandbox-orchestrator当决定性证据存在于数据包顺序、协议帧结构或流重组结果中,而非单一IOC或主机日志时,使用本技能。
除非用户明确要求英文,否则请用简体中文回复。
Quick Start
快速开始
- Establish the capture boundaries first: hosts, time span, interfaces, missing packets, retransmits, and stream count.
- Group traffic into sessions before decoding payload semantics.
- Record protocol framing, sequence, timing, and transferred artifacts together instead of as isolated packets.
- Correlate packet evidence with host, malware, or app behavior only after the session is reconstructed.
- Reproduce the smallest decoded stream or transferred artifact that proves the challenge path.
- 首先确定捕获边界:主机、时间跨度、接口、丢包情况、重传次数和流数量。
- 在解码负载语义前,先将流量分组到不同会话中。
- 统一记录协议帧结构、序列、计时和传输的工件,不要将其作为孤立数据包处理。
- 仅在会话重建完成后,再将数据包证据与主机、恶意软件或应用行为关联。
- 复现可证明解题路径的最小解码流或传输工件。
Workflow
工作流
1. Build The Session Map
1. 构建会话映射
- Identify endpoints, protocols, ports, TLS handshakes, DNS lookups, websocket upgrades, and long-lived streams.
- Note missing capture coverage, asymmetric routing, packet loss, or reassembly issues before drawing conclusions.
- Separate control channels, bulk transfers, keepalives, and noise.
- 识别端点、协议、端口、TLS握手、DNS查询、WebSocket升级和长连接流。
- 在得出结论前,先记录捕获覆盖缺失、非对称路由、丢包或重组问题。
- 区分控制信道、批量传输、保活包和噪音流量。
2. Decode The Protocol Boundary
2. 解码协议边界
- Reassemble TCP streams or UDP conversations before interpreting fields.
- Recover framing, message order, custom headers, binary fields, compression, encryption boundaries, and object transfers.
- Keep payload direction, timing, and session state aligned with each decoded message.
- 在解释字段含义前,先重组TCP流或UDP会话。
- 恢复帧结构、消息顺序、自定义头、二进制字段、压缩、加密边界和对象传输信息。
- 确保每个解码消息都对应正确的负载方向、计时和会话状态。
3. Tie Packets To Behavior
3. 将数据包与行为关联
- Show which packet sequence maps to which host event, malware branch, login flow, upload, exfiltration step, or command channel.
- Distinguish protocol recognition from artifact recovery: naming HTTP, DNS, or a custom C2 is not enough without decoded content or proven downstream effect.
- If the task becomes mostly a host timeline problem after decode, switch to the tighter forensic timeline skill.
- 说明对应的数据包序列映射到哪个主机事件、恶意软件分支、登录流程、上传、数据外带步骤或命令信道。
- 区分协议识别和工件恢复:仅识别出HTTP、DNS或自定义C2是不够的,还需要提供解码后的内容或可证明的下游影响。
- 如果解码后任务主要变成主机时间线问题,请切换到更适配的取证时间线技能。
Read This Reference
参考文档
- Load for the session checklist, decode checklist, and evidence packaging.
references/pcap-protocol.md - If the hard part is a WebSocket or SSE handshake, subscription flow, realtime frames, or frame-driven state, prefer .
$competition-websocket-runtime - If the hard part is a custom handshake, framing, checksum, sequence dependency, or deterministic replay harness, prefer .
$competition-custom-protocol-replay
- 加载查看会话检查清单、解码检查清单和证据打包规范。
references/pcap-protocol.md - 如果难点是WebSocket或SSE握手、订阅流程、实时帧或帧驱动状态,请优先使用。
$competition-websocket-runtime - 如果难点是自定义握手、帧结构、校验和、序列依赖或确定性重放测试工具,请优先使用。
$competition-custom-protocol-replay
What To Preserve
需要留存的内容
- Stream IDs, endpoint pairs, packet ranges, timestamps, protocol framing, and object boundaries
- Decoded requests, responses, commands, transferred files, and the session that carried them
- The exact packet sequence or reconstructed stream that proves the challenge behavior
- 流ID、端点对、数据包范围、时间戳、协议帧结构和对象边界
- 解码后的请求、响应、命令、传输的文件以及承载它们的会话
- 可证明题目行为的准确数据包序列或重建后的流