picoCTF Solutions
picoCTF 2019ForensicsEasy

shark on wire 1

Published: April 2, 2026

Description

We found this packet capture. Recover the flag. Download capture.pcap.

Setup

Download capture.pcap from the challenge page.

Open the file in Wireshark.

Solution

  1. Step 1Filter to the relevant UDP stream
    Apply the Wireshark display filter 'udp.stream eq 6' to isolate the stream carrying the flag. Then right-click any packet in that stream and select Follow > UDP Stream to view the reassembled payload as ASCII text.
    wireshark capture.pcap
    Learn more

    Wireshark is the industry-standard network packet analyzer. It can open .pcap (packet capture) files recorded by tools like tcpdump, Wireshark itself, or network taps. A pcap file stores every packet seen on a network interface at a given time, including all Ethernet frames, IP headers, and application payloads.

    Display filters in Wireshark let you narrow millions of packets to only what matters. The filter udp.stream eq 6 works because Wireshark automatically assigns each unique UDP "conversation" (same source IP:port and destination IP:port pair) a stream index. Stream 6 isolates one particular back-and-forth exchange. Common display filter patterns include:

    • tcp.stream eq N -- isolate a single TCP connection
    • http -- show only HTTP traffic
    • ip.addr == 192.168.1.1 -- filter by IP address
    • dns -- show only DNS queries and responses

    Follow Stream (right-click any packet in a stream) reassembles all the payload bytes in order and displays them as text or hex -- exactly as the application layer saw them. For UDP this is especially useful because UDP is connectionless, so Wireshark reconstructs the conversation purely by matching IP/port tuples. In CTF challenges, the flag is often sent in plaintext across a specific stream, making this one of the most common forensics techniques used.

  2. Step 2Read the flag from the stream
    The Follow UDP Stream dialog displays the raw payload as text. The flag appears directly in the stream output.
    Learn more

    UDP (User Datagram Protocol) is a connectionless transport protocol -- unlike TCP, there is no handshake, no guaranteed delivery, and no ordering. Each UDP datagram is independent. Despite this, Wireshark can still group related datagrams into a "stream" by tracking which packets share the same 4-tuple (source IP, source port, destination IP, destination port).

    Because UDP has no built-in encryption or authentication, any data sent over it is fully visible in a packet capture. This is why protocols like DNS (historically), TFTP, and many game network protocols have historically been vulnerable to eavesdropping -- all traffic is readable by anyone on the same network segment or with access to a tap.

    In real-world forensics and incident response, analysts use pcap analysis to reconstruct what happened during an attack or data exfiltration. Tools like tshark (the command-line version of Wireshark) allow scripted analysis: tshark -r capture.pcap -Y "udp.stream eq 6" -T fields -e data.text extracts payload text without opening a GUI.

Flag

picoCTF{...}

UDP streams in Wireshark can be followed just like TCP streams -- filtering to a specific stream number isolates one conversation's data.

More Forensics