competition-pcap-protocol
Competition PCAP Protocol
Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.
Use this skill when the decisive evidence sits inside packet order, protocol framing, or stream reconstruction rather than a single IOC or host log.
Reply in Simplified Chinese unless the user explicitly requests English.
Quick Start
- Establish the capture boundaries first: hosts, time span, interfaces, missing packets, retransmits, and stream count.
- Group traffic into sessions before decoding payload semantics.
- Record protocol framing, sequence, timing, and transferred artifacts together instead of as isolated packets.
- Correlate packet evidence with host, malware, or app behavior only after the session is reconstructed.
- Reproduce the smallest decoded stream or transferred artifact that proves the challenge path.
Workflow
1. Build The Session Map
- Identify endpoints, protocols, ports, TLS handshakes, DNS lookups, websocket upgrades, and long-lived streams.
- Note missing capture coverage, asymmetric routing, packet loss, or reassembly issues before drawing conclusions.
- Separate control channels, bulk transfers, keepalives, and noise.
2. Decode The Protocol Boundary
- Reassemble TCP streams or UDP conversations before interpreting fields.
- Recover framing, message order, custom headers, binary fields, compression, encryption boundaries, and object transfers.
- Keep payload direction, timing, and session state aligned with each decoded message.
3. Tie Packets To Behavior
- Show which packet sequence maps to which host event, malware branch, login flow, upload, exfiltration step, or command channel.
- Distinguish protocol recognition from artifact recovery: naming HTTP, DNS, or a custom C2 is not enough without decoded content or proven downstream effect.
- If the task becomes mostly a host timeline problem after decode, switch to the tighter forensic timeline skill.
Read This Reference
- Load
references/pcap-protocol.mdfor the session checklist, decode checklist, and evidence packaging. - If the hard part is a WebSocket or SSE handshake, subscription flow, realtime frames, or frame-driven state, prefer
$competition-websocket-runtime. - If the hard part is a custom handshake, framing, checksum, sequence dependency, or deterministic replay harness, prefer
$competition-custom-protocol-replay.
What To Preserve
- Stream IDs, endpoint pairs, packet ranges, timestamps, protocol framing, and object boundaries
- Decoded requests, responses, commands, transferred files, and the session that carried them
- The exact packet sequence or reconstructed stream that proves the challenge behavior
More from galiais/ctf-sandbox-orchestrator
competition-prompt-injection
Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for prompt-injection, retrieval poisoning, memory contamination, planner drift, MCP or tool-boundary abuse, and agent exfiltration challenges. Use when the user asks to analyze prompt injection, retrieval poisoning, memory contamination, planner drift, tool-argument corruption, or secret exposure caused by an agent chain. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.
10competition-forensic-timeline
Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for DFIR chronology, cross-artifact correlation, persistence chains, and incident timeline reconstruction. Use when the user asks to build a forensic timeline, correlate EVTX, PCAP, registry, disk, memory, mailbox, or browser artifacts, explain the order of attacker actions, or pinpoint the stage where the decisive artifact appears. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.
9competition-agent-cloud
Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for AI-agent, prompt-injection, MCP or toolchain, cloud, container, CI/CD, and supply-chain challenges. Use when the user asks to analyze prompt-to-tool flows, retrieval poisoning, mounted secrets, deployment drift, runtime-vs-manifest mismatches, registry provenance, or CI-produced artifacts under sandbox assumptions. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.
8competition-lsass-ticket-material
Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for LSASS-resident secrets, Windows logon sessions, Kerberos ticket caches, DPAPI-backed material, SSP artifacts, and replayable credential extraction. Use when the user asks to inspect LSASS memory, recover tickets or logon sessions, trace DPAPI or SSP material, distinguish which credential artifacts are replayable, or connect host-resident credential material to an accepted pivot or privilege edge. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.
8competition-reverse-pwn
Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for reverse engineering, malware, DFIR, firmware, pwnable, and native exploit challenges. Use when the user asks to reverse a binary, unpack a sample, inspect a memory dump or PCAP, recover malware behavior, debug a crash, or build or verify an exploit chain under sandbox assumptions. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.
8ctf-sandbox-orchestrator
Default entrypoint and master ctf-sandbox-orchestrator workflow for CTF, exploit, reverse engineering, DFIR, pwnable, crypto, stego, mobile, AI-agent, cloud, container, Active Directory, Windows-host, and identity challenges. Use first when the user presents challenge infrastructure, binaries, prompts, hosts, or identities that should be treated as sandbox-internal by default and Codex needs to choose, route, and load the right downstream analysis path with concise evidence.
8