shark on wire 1 picoCTF 2019 Solution

Published: April 2, 2026

Description

We found this packet capture. Recover the flag. Download capture.pcap.

Download capture.pcap from the challenge page.

Open the file in Wireshark.

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
The Networking Tools for CTF Challenges covers Wireshark and tshark (used here for pcap analysis) alongside netcat, curl, and nmap.
  1. Step 1
    Filter to the relevant UDP stream
    Observation
    I noticed the challenge provided a raw packet capture (capture.pcap) with no other hints, which suggested using Wireshark's Follow Stream feature on UDP traffic to find the flag hidden inside a specific conversation.
    Apply the Wireshark display filter 'udp.stream eq 6' to isolate the stream carrying the flag. Then right-click any packet in that stream and select Follow > UDP Stream to view the reassembled payload as ASCII text.
    bash
    wireshark capture.pcap
    What didn't work first

    Tried: Follow TCP Stream instead of UDP Stream after filtering for all traffic

    The flag is carried over UDP, not TCP. Following a TCP stream shows HTTP or other TCP payloads but never the flag data. The filter 'udp.stream eq 6' is necessary to isolate the correct connectionless datagram conversation before using Follow > UDP Stream.

    Tried: Try stream numbers other than 6 (such as stream 0, 1, or 2) hoping the flag is in the first conversation

    Wireshark assigns stream indices in the order it encounters each unique IP:port 4-tuple, so the first stream is rarely the interesting one in a crafted CTF capture. Stream 6 specifically contains the flag conversation. Checking streams sequentially via 'udp.stream eq N' is the reliable approach when the correct index is not known in advance.

    Learn more

    Wireshark is the industry-standard network packet analyzer. It can open .pcap (packet capture) files recorded by tools like tcpdump, Wireshark itself, or network taps. A pcap file stores every packet seen on a network interface at a given time, including all Ethernet frames, IP headers, and application payloads.

    Display filters in Wireshark let you narrow millions of packets to only what matters. The filter udp.stream eq 6 works because Wireshark automatically assigns each unique UDP "conversation" (same source IP:port and destination IP:port pair) a stream index. Stream 6 isolates one particular back-and-forth exchange. Common display filter patterns include:

    • tcp.stream eq N - isolate a single TCP connection
    • http - show only HTTP traffic
    • ip.addr == 192.168.1.1 - filter by IP address
    • dns - show only DNS queries and responses

    Follow Stream (right-click any packet in a stream) reassembles all the payload bytes in order and displays them as text or hex - exactly as the application layer saw them. For UDP this is especially useful because UDP is connectionless, so Wireshark reconstructs the conversation purely by matching IP/port tuples. In CTF challenges, the flag is often sent in plaintext across a specific stream, making this one of the most common forensics techniques used.

  2. Step 2
    Read the flag from the stream
    Observation
    I noticed that once the UDP stream was isolated using 'udp.stream eq 6', the Follow UDP Stream dialog reassembles all payload bytes in order, which meant the plaintext flag would appear directly in the output without any additional decoding.
    The Follow UDP Stream dialog displays the raw payload as text. The flag appears directly in the stream output.
    Learn more

    UDP (User Datagram Protocol) is a connectionless transport protocol - unlike TCP, there is no handshake, no guaranteed delivery, and no ordering. Each UDP datagram is independent. Despite this, Wireshark can still group related datagrams into a "stream" by tracking which packets share the same 4-tuple (source IP, source port, destination IP, destination port).

    Because UDP has no built-in encryption or authentication, any data sent over it is fully visible in a packet capture. This is why protocols like DNS (historically), TFTP, and many game network protocols have historically been vulnerable to eavesdropping - all traffic is readable by anyone on the same network segment or with access to a tap.

    In real-world forensics and incident response, analysts use pcap analysis to reconstruct what happened during an attack or data exfiltration. Tools like tshark (the command-line version of Wireshark) allow scripted analysis: tshark -r capture.pcap -Y "udp.stream eq 6" -T fields -e data.text extracts payload text without opening a GUI.

Interactive tools
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{StaT31355_636f6e6e}

UDP streams in Wireshark can be followed just like TCP streams - filtering to a specific stream number isolates one conversation's data.

Key takeaway

Network packet captures preserve every byte transmitted over cleartext protocols exactly as it crossed the wire, making passive eavesdropping trivial for anyone with access to a tap or the capture file. Wireshark and tshark let analysts reassemble multi-packet conversations and extract payloads from protocols like UDP, HTTP, FTP, and DNS offline, long after the session ends. This is why TLS everywhere matters in production: without transport encryption, credentials, files, and sensitive application data are fully readable to any network observer.

Related reading

Want more picoCTF 2019 writeups?

Useful tools for Forensics

What to try next