import subprocess
import re

tshark = r"C:\Program Files\Wireshark\tshark.exe"
pcap = "sniffed.pcap"

def run_tshark(fields):
    """Run tshark and return output"""
    cmd = [tshark, "-r", pcap, "-T", "fields"] + ["-e" + f for f in fields]
    result = subprocess.run(cmd, capture_output=True, text=True)
    return result.stdout.strip().split('\n')

def test_method(name, data, transform=lambda x: x):
    """Test a steganography method"""
    print(f"\n{'='*80}")
    print(f"Testing: {name}")
    print(f"{'='*80}")
    
    chars = []
    for i, line in enumerate(data, 1):
        if not line.strip():
            continue
        try:
            value = transform(line)
            if value and 32 <= value <= 126:
                char = chr(value)
                chars.append((i, char))
                if i <= 50:  # Print first 50
                    print(f"Packet {i:3d}: {value:3d} = '{char}'")
        except:
            pass
    
    message = ''.join([c for _, c in chars])
    print(f"\nExtracted ({len(chars)} chars): {message[:100]}...")
    
    if 'HTB{' in message:
        start = message.index('HTB{')
        end = message.index('}', start) + 1
        flag = message[start:end]
        print(f"\n🚩 FLAG FOUND: {flag}")
        return flag
    
    return None

print("="*80)
print("COMPREHENSIVE CTF STEGANOGRAPHY ANALYSIS")
print("="*80)

# 1. Test IP TTL
print("\n[1/7] IP TTL Values")
ttl_data = run_tshark(["ip.ttl"])
test_method("IP TTL", ttl_data, lambda x: int(x) if x else 0)

# 2. Test IP ID (low byte)
print("\n[2/7] IP ID (low byte)")
ipid_data = run_tshark(["ip.id"])
test_method("IP ID Low Byte", ipid_data, lambda x: int(x, 16) & 0xFF if x and x != "" else 0)

# 3. Test IP ID (high byte)
print("\n[3/7] IP ID (high byte)")
test_method("IP ID High Byte", ipid_data, lambda x: (int(x, 16) >> 8) & 0xFF if x and x != "" else 0)

# 4. Test TCP Sequence Number (low byte)
print("\n[4/7] TCP Sequence Number (low byte)")
tcp_seq = run_tshark(["tcp.seq"])
test_method("TCP Seq Low Byte", tcp_seq, lambda x: int(x) & 0xFF if x and x != "" else 0)

# 5. Test Packet Lengths
print("\n[5/7] Packet Lengths")
lengths = run_tshark(["frame.len"])
test_method("Packet Length", lengths, lambda x: int(x) if x else 0)

# 6. Test UDP Source Port
print("\n[6/7] UDP Source Port")
udp_sport = run_tshark(["udp.srcport"])
test_method("UDP Source Port", udp_sport, lambda x: int(x) if x and x != "" else 0)

# 7. Test UDP Destination Port  
print("\n[7/7] UDP Destination Port")
udp_dport = run_tshark(["udp.dstport"])
test_method("UDP Dest Port", udp_dport, lambda x: int(x) if x and x != "" else 0)

print("\n" + "="*80)
print("ANALYSIS COMPLETE")
print("="*80)
print("\nIf no flag was found above, the writeup's method (last raw byte)")
print("is likely the correct and intended solution.")