WOLF//SEC
← All Labs
LAB 4.9-B Tier 2: Worker-Backed Obj 4.9 · intermediate · ~20min

Packet Capture Forensics

This lab is planned but not yet built. Check back soon.

Mission

Analyze a packet capture from a suspected data breach. Identify the protocol breakdown, filter for suspicious traffic, extract forensic artifacts, and write your findings.

Scenario

A Cloudflare Worker generates a simulated packet capture viewer with traffic from a compromised network segment. The capture contains normal business traffic mixed with:

  • C2 beaconing hidden in HTTPS traffic (identifiable via JA3 fingerprint mismatch)
  • DNS tunneling with unusually long subdomain queries
  • Data exfiltration via high-entropy payloads on non-standard ports

What You’ll Do

  1. Filter the capture to isolate suspicious traffic from normal business operations
  2. Identify protocol anomalies: magic bytes that don’t match the declared protocol, length fields inconsistent with payload size, timing patterns suggesting automated C2
  3. Extract IOCs: file hashes, C2 domains, exfiltrated data signatures
  4. Report your findings in a structured format and validate against the ground truth

Offensive Context

This is the defensive mirror of how a protocol-level attacker operates. The same packet analysis skills — identifying magic bytes, static vs. dynamic fields, length field anomalies — apply on both sides of the table. An attacker manipulating these fields to trigger parser bugs on the server? You’re learning to spot exactly that. The JA3 fingerprint mismatch detection works because malware uses its own TLS stack — and now you know what to look for.