#!/usr/bin/env python3 """ Analyze sniffed.pcap for the Spell Sequence challenge Looking for hidden patterns in packet sizes, sequence numbers, ports, or other fields """ try: from scapy.all import rdpcap, IP, TCP, UDP print("Loading packets...") packets = rdpcap('sniffed.pcap') print(f"Total packets: {len(packets)}") print("\nFirst 20 packets:") print("-" * 80) for i, pkt in enumerate(packets[:20]): if IP in pkt: src = pkt[IP].src dst = pkt[IP].dst length = len(pkt) proto = "" sport = dport = "" if TCP in pkt: proto = "TCP" sport = pkt[TCP].sport dport = pkt[TCP].dport elif UDP in pkt: proto = "UDP" sport = pkt[UDP].sport dport = pkt[UDP].dport print(f"{i+1:3d}: {src:15s} -> {dst:15s} | {proto:4s} {sport:>5} -> {dport:<5} | Len: {length}") # Look for patterns in packet lengths (common hiding place) print("\n" + "=" * 80) print("PACKET LENGTHS (looking for ASCII pattern):") print("=" * 80) lengths = [len(pkt) for pkt in packets] print(f"Lengths: {lengths[:50]}") # Try interpreting lengths as ASCII print("\nAttempting to decode lengths as ASCII characters:") ascii_from_lengths = "" for length in lengths: if 32 <= length <= 126: # Printable ASCII ascii_from_lengths += chr(length) else: ascii_from_lengths += f"[{length}]" print(ascii_from_lengths[:200]) # Look at packet size variations print("\n" + "=" * 80) print("LOOKING FOR PATTERNS IN PACKET SIZES:") print("=" * 80) # Get IP payload lengths ip_lengths = [] for pkt in packets: if IP in pkt: ip_lengths.append(pkt[IP].len) print(f"IP lengths: {ip_lengths[:50]}") # Try as ASCII print("\nIP lengths as ASCII:") ascii_from_ip = "" for length in ip_lengths: if 32 <= length <= 126: ascii_from_ip += chr(length) else: ascii_from_ip += f"[{length}]" print(ascii_from_ip[:200]) # Check sequence numbers, ports, etc. print("\n" + "=" * 80) print("CHECKING TCP/UDP PORTS:") print("=" * 80) ports = [] for pkt in packets: if TCP in pkt: ports.append((pkt[TCP].sport, pkt[TCP].dport)) elif UDP in pkt: ports.append((pkt[UDP].sport, pkt[UDP].dport)) print(f"Ports (first 20): {ports[:20]}") # Check source ports as potential ASCII src_ports = [p[0] for p in ports] dst_ports = [p[1] for p in ports] print(f"\nSource ports: {src_ports[:30]}") print(f"Destination ports: {dst_ports[:30]}") # Try destination ports as ASCII print("\nDestination ports as ASCII:") ascii_from_dstport = "" for port in dst_ports: if 32 <= port <= 126: ascii_from_dstport += chr(port) print(ascii_from_dstport) # Try source ports as ASCII print("\nSource ports as ASCII:") ascii_from_srcport = "" for port in src_ports: if 32 <= port <= 126: ascii_from_srcport += chr(port) print(ascii_from_srcport) # Check for incrementing/decrementing patterns print("\n" + "=" * 80) print("ALL PACKET DATA:") print("=" * 80) for i, pkt in enumerate(packets): print(f"\nPacket {i+1}:") print(pkt.summary()) if i >= 10: # Limit output print(f"\n... and {len(packets) - 10} more packets") break except ImportError: print("Scapy not installed. Trying alternative method...") import struct # Read raw pcap file with open('sniffed.pcap', 'rb') as f: data = f.read() print(f"File size: {len(data)} bytes") print(f"First 100 bytes (hex): {data[:100].hex()}") # Look for ASCII strings ascii_strings = [] current = "" for byte in data: if 32 <= byte <= 126: current += chr(byte) else: if len(current) > 3: ascii_strings.append(current) current = "" print(f"\nFound {len(ascii_strings)} ASCII strings") for s in ascii_strings[:20]: print(f" {s}")