Agent Skillszhaoxuya520/reverse-skill › competition-pcap-protocol

competition-pcap-protocol

GitHub

作为CTF沙箱下游技能,用于PCAP流量分析、TCP/UDP会话重建、应用层协议解码及流重组。在沙箱已建立假设后使用,重点通过包序和协议帧关联主机行为与恶意软件活动,提取关键证据链。

CTF-Sandbox-Orchestrator/competition-pcap-protocol/SKILL.md zhaoxuya520/reverse-skill

Trigger Scenarios

用户请求分析PCAP文件 需要重建TCP或UDP会话 解码HTTP、WebSocket、DNS或自定义C2协议 将数据包序列与主机或恶意软件行为进行关联

Install

npx skills add zhaoxuya520/reverse-skill --skill competition-pcap-protocol -g -y
More Options

Non-standard path

npx skills add https://github.com/zhaoxuya520/reverse-skill/tree/main/CTF-Sandbox-Orchestrator/competition-pcap-protocol -g -y

Use without installing

npx skills use zhaoxuya520/reverse-skill@competition-pcap-protocol

指定 Agent (Claude Code)

npx skills add zhaoxuya520/reverse-skill --skill competition-pcap-protocol -a claude-code -g -y

安装 repo 全部 skill

npx skills add zhaoxuya520/reverse-skill --all -g -y

预览 repo 内 skill

npx skills add zhaoxuya520/reverse-skill --list

SKILL.md

Frontmatter
{
    "name": "competition-pcap-protocol",
    "description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for packet capture analysis, session reconstruction, application-protocol decoding, stream reassembly, beacon timing, and packet-to-process correlation. Use when the user asks to analyze a PCAP, rebuild TCP or UDP sessions, decode HTTP, WebSocket, DNS, custom C2, or binary protocols, extract transferred artifacts, or tie packet sequences to host or malware behavior. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}

Competition PCAP Protocol

Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.

Use this skill when the decisive evidence sits inside packet order, protocol framing, or stream reconstruction rather than a single IOC or host log.

Reply in Simplified Chinese unless the user explicitly requests English.

Quick Start

  1. Establish the capture boundaries first: hosts, time span, interfaces, missing packets, retransmits, and stream count.
  2. Group traffic into sessions before decoding payload semantics.
  3. Record protocol framing, sequence, timing, and transferred artifacts together instead of as isolated packets.
  4. Correlate packet evidence with host, malware, or app behavior only after the session is reconstructed.
  5. Reproduce the smallest decoded stream or transferred artifact that proves the challenge path.

Workflow

1. Build The Session Map

  • Identify endpoints, protocols, ports, TLS handshakes, DNS lookups, websocket upgrades, and long-lived streams.
  • Note missing capture coverage, asymmetric routing, packet loss, or reassembly issues before drawing conclusions.
  • Separate control channels, bulk transfers, keepalives, and noise.

2. Decode The Protocol Boundary

  • Reassemble TCP streams or UDP conversations before interpreting fields.
  • Recover framing, message order, custom headers, binary fields, compression, encryption boundaries, and object transfers.
  • Keep payload direction, timing, and session state aligned with each decoded message.

3. Tie Packets To Behavior

  • Show which packet sequence maps to which host event, malware branch, login flow, upload, exfiltration step, or command channel.
  • Distinguish protocol recognition from artifact recovery: naming HTTP, DNS, or a custom C2 is not enough without decoded content or proven downstream effect.
  • If the task becomes mostly a host timeline problem after decode, switch to the tighter forensic timeline skill.

Read This Reference

  • Load references/pcap-protocol.md for the session checklist, decode checklist, and evidence packaging.
  • If the hard part is a WebSocket or SSE handshake, subscription flow, realtime frames, or frame-driven state, prefer $competition-websocket-runtime.
  • If the hard part is a custom handshake, framing, checksum, sequence dependency, or deterministic replay harness, prefer $competition-custom-protocol-replay.

What To Preserve

  • Stream IDs, endpoint pairs, packet ranges, timestamps, protocol framing, and object boundaries
  • Decoded requests, responses, commands, transferred files, and the session that carried them
  • The exact packet sequence or reconstructed stream that proves the challenge behavior

Version History

  • 1bec1f2 Current 2026-07-05 18:45

Same Skill Collection

CTF-Sandbox-Orchestrator/competition-crypto-mobile/SKILL.md
CTF-Sandbox-Orchestrator/competition-reverse-pwn/SKILL.md
CTF-Sandbox-Orchestrator/competition-stego-media/SKILL.md
CTF-Sandbox-Orchestrator/competition-web-runtime/SKILL.md
CTF-Sandbox-Orchestrator/ctf-sandbox-orchestrator/SKILL.md
skills/apk-reverse/SKILL.md
skills/binary-diff/SKILL.md
skills/browser-automation/SKILL.md
skills/docs-generator/SKILL.md
skills/dotnet-reverse/SKILL.md
skills/firmware-pentest/SKILL.md
skills/js-reverse/SKILL.md
skills/patch-diff-exploit/SKILL.md
skills/pentest-tools/SKILL.md
skills/pentest-tools/src-hunter/SKILL.md
skills/pwn-chain/SKILL.md
skills/radare2/SKILL.md
CTF-Sandbox-Orchestrator/competition-ad-certificate-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-agent-cloud/SKILL.md
CTF-Sandbox-Orchestrator/competition-android-hooking/SKILL.md
CTF-Sandbox-Orchestrator/competition-browser-persistence/SKILL.md
CTF-Sandbox-Orchestrator/competition-bundle-sourcemap-recovery/SKILL.md
CTF-Sandbox-Orchestrator/competition-cloud-metadata-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-container-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-custom-protocol-replay/SKILL.md
CTF-Sandbox-Orchestrator/competition-dpapi-credential-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-file-parser-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-firmware-layout/SKILL.md
CTF-Sandbox-Orchestrator/competition-forensic-timeline/SKILL.md
CTF-Sandbox-Orchestrator/competition-graphql-rpc-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-identity-windows/SKILL.md
CTF-Sandbox-Orchestrator/competition-ios-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-jwt-claim-confusion/SKILL.md
CTF-Sandbox-Orchestrator/competition-k8s-control-plane/SKILL.md
CTF-Sandbox-Orchestrator/competition-kerberos-delegation/SKILL.md
CTF-Sandbox-Orchestrator/competition-kernel-container-escape/SKILL.md
CTF-Sandbox-Orchestrator/competition-linux-credential-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-lsass-ticket-material/SKILL.md
CTF-Sandbox-Orchestrator/competition-mailbox-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-malware-config/SKILL.md
CTF-Sandbox-Orchestrator/competition-oauth-oidc-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-prompt-injection/SKILL.md
CTF-Sandbox-Orchestrator/competition-queue-worker-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-race-condition-state-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-relay-coercion-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-request-normalization-smuggling/SKILL.md
CTF-Sandbox-Orchestrator/competition-runtime-routing/SKILL.md
CTF-Sandbox-Orchestrator/competition-ssrf-metadata-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-supply-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-template-render-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-websocket-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-windows-pivot/SKILL.md
skills/diagram-generator/SKILL.md
skills/edr-bypass-re/SKILL.md
skills/ida-reverse/SKILL.md
skills/reverse-engineering/SKILL.md

Metadata

Files
0
Version
1bec1f2
Hash
18285bb4
Indexed
2026-07-05 18:45

trang chủ - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 23:02
浙ICP备14020137号-1 $bản đồ khách truy cập$