[p0cc]

If you work in the networking industry, pcaps are used to troubleshoot networks. I see guys walking around with t-shirts with "pcaps or it didn't happen". The behavior of protocols or the data in their fields can point exactly to what is failing, and a pcap captures this.

If you want to search for protocols in packet captures, I created tshark.dev/search/pcaptable/ for this exact purpose. Search 1000+ protocols from 6000+ packet captures.

---

Per capinfos, the author merged a bunch of pcap files with `mergecap` from Wireshark's sample captures. It has 38 interfaces, which is the highest I've ever seen!

  $ tshark -r ultimate.pcapng -T fields -e frame.protocols | sed -e 's/:/\n/g' | sort | uniq | wc -l
  69

Looks like it's actually 69 protocols, which makes it quite novel as a packet capture.

[saagarjha]

Packet captures are helpful even if you’re not personally involved in the networking layer, but still talk to the internet and would like to keep logs of it. My university organizes capture-the-flag competitions and everything that goes through the game network is captured, both by us and by many of the teams. The captures let us monitor the state of the game, quickly detect and respond to denial of service attacks, and serve as a sanity check of the event in case some critical infrastructure goes down and we lose game data. Good teams log all their traffic so they can reverse-engineer and replay exploits that people shoot at them, of course ;)

[sbmthakur]

That's an interesting usecase. Is there a blog/article talking more about this?

[saagarjha]

I’m not sure if we ever actually wrote up anything specific about our architecture (CTF people tend to hate write-ups), but I did find that we did a post when we disqualified LC/BC for a DDoS attack against another team, which we detected using network logs: https://ictf.cs.ucsb.edu/pages/the-2016-2017-ictf-ddos.html