A beginner-friendly Wireshark PCAP analysis walkthrough — identifying a malware infection through network traffic.

Hello everyone! 👋

In this blog, I’ll walk through the Network-Based Attacks CTF 1 from INE’s eJPT path. Unlike the previous labs, this one is purely about traffic analysis — no exploitation, just Wireshark and the right filters.

I’ll be honest — I’m not very experienced with Wireshark yet, so for most of these questions I searched for the relevant filters on Google and worked through the packets carefully. That’s the approach, and it works.

So, let’s dive in.

Q. What is the domain name (abcd.site) accessed by the infected user that returned a 200 OK response code?

The question is asking for a successful HTTP response, so I filtered for exactly that:

http.response == 200

I selected the matching packet, expanded the Hypertext Transfer Protocol field, and at the bottom found the Request URI — which revealed the full domain the infected machine had contacted.

Q. What is the IP address and MAC address of the infected Windows client?

Still on the same filter. I selected the packet, expanded the Ethernet II field, and found the MAC address listed under Destination.

The IP was already visible in the packet list under the Destination column.

Answer format: <IP>, <MAC>

Q. Which Wireshark filter can you use to determine the victim’s hostname from NetBIOS Name Service traffic, and what is the detected hostname for this malware infection?

I searched for the correct filter name for NetBIOS Name Service traffic and found it:

nbns

After applying the filter, I selected a packet, expanded the NetBIOS Name Service section, then expanded Additional records — the hostname was listed right there.

Answer format: nbns, <Hostname>

Q. Which user got infected and ran the mystery_file.ps1 PowerShell script?

I searched for the Wireshark filter to find a specific filename inside TCP stream data. The filter is:

tcp contains "mystery_file.ps1"

One packet came back. I expanded the Data field, right-clicked the truncated data, and copied it as Printable Text. I pasted it into a text editor and carefully read through it.

Inside the data, a file path was visible — and embedded in that path was the username of the infected user.

Q. What User-Agent string indicates the traffic generated by a PowerShell script?

I filtered for packets containing the word “PowerShell”:

tcp contains "PowerShell"

I selected the matching packet, expanded the Hypertext Transfer Protocol field, and found the User-Agent string — which clearly identified it as PowerShell-generated traffic.

Q. Which wallet extension ID is associated with the Coinbase wallet?

For this one, I used Wireshark’s Find Packet feature (Ctrl+F) and searched for the string coinbase inside Packet Bytes with type set to String.

A matching packet was found. I expanded the Data field, right-clicked the truncated data, and copied it as Printable Text. Pasted it into a text editor and looked through the list — each entry followed the format <extension-id>|<wallet-name>.

The Coinbase wallet entry was right there with its associated extension ID.

Final Thoughts

This CTF was a different kind of challenge — no shells, no brute-forcing, just reading network traffic carefully.

The biggest takeaway here is that malware leaves traces in packet captures. Every HTTP request, every DNS lookup, every file path — it’s all there if you know what to filter for. You don’t need to be a Wireshark expert to get answers; you just need to know the right filter and look in the right field.

Thanks for reading!