Description
We found this packet capture. Recover the flag. Download capture.pcap.
Setup
Download capture.pcap from the challenge page.
Open the file in Wireshark.
Solution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Filter to the relevant UDP streamObservationI noticed the challenge provided a raw packet capture (capture.pcap) with no other hints, which suggested using Wireshark's Follow Stream feature on UDP traffic to find the flag hidden inside a specific conversation.Apply the Wireshark display filter 'udp.stream eq 6' to isolate the stream carrying the flag. Then right-click any packet in that stream and select Follow > UDP Stream to view the reassembled payload as ASCII text.bashwireshark capture.pcapWhat didn't work first
Tried: Follow TCP Stream instead of UDP Stream after filtering for all traffic
The flag is carried over UDP, not TCP. Following a TCP stream shows HTTP or other TCP payloads but never the flag data. The filter 'udp.stream eq 6' is necessary to isolate the correct connectionless datagram conversation before using Follow > UDP Stream.
Tried: Try stream numbers other than 6 (such as stream 0, 1, or 2) hoping the flag is in the first conversation
Wireshark assigns stream indices in the order it encounters each unique IP:port 4-tuple, so the first stream is rarely the interesting one in a crafted CTF capture. Stream 6 specifically contains the flag conversation. Checking streams sequentially via 'udp.stream eq N' is the reliable approach when the correct index is not known in advance.
Learn more
Wireshark is the industry-standard network packet analyzer. It can open
.pcap(packet capture) files recorded by tools liketcpdump,Wiresharkitself, or network taps. A pcap file stores every packet seen on a network interface at a given time, including all Ethernet frames, IP headers, and application payloads.Display filters in Wireshark let you narrow millions of packets to only what matters. The filter
udp.stream eq 6works because Wireshark automatically assigns each unique UDP "conversation" (same source IP:port and destination IP:port pair) a stream index. Stream 6 isolates one particular back-and-forth exchange. Common display filter patterns include:tcp.stream eq N- isolate a single TCP connectionhttp- show only HTTP trafficip.addr == 192.168.1.1- filter by IP addressdns- show only DNS queries and responses
Follow Stream (right-click any packet in a stream) reassembles all the payload bytes in order and displays them as text or hex - exactly as the application layer saw them. For UDP this is especially useful because UDP is connectionless, so Wireshark reconstructs the conversation purely by matching IP/port tuples. In CTF challenges, the flag is often sent in plaintext across a specific stream, making this one of the most common forensics techniques used.
Step 2
Read the flag from the streamObservationI noticed that once the UDP stream was isolated using 'udp.stream eq 6', the Follow UDP Stream dialog reassembles all payload bytes in order, which meant the plaintext flag would appear directly in the output without any additional decoding.The Follow UDP Stream dialog displays the raw payload as text. The flag appears directly in the stream output.Learn more
UDP (User Datagram Protocol) is a connectionless transport protocol - unlike TCP, there is no handshake, no guaranteed delivery, and no ordering. Each UDP datagram is independent. Despite this, Wireshark can still group related datagrams into a "stream" by tracking which packets share the same 4-tuple (source IP, source port, destination IP, destination port).
Because UDP has no built-in encryption or authentication, any data sent over it is fully visible in a packet capture. This is why protocols like DNS (historically), TFTP, and many game network protocols have historically been vulnerable to eavesdropping - all traffic is readable by anyone on the same network segment or with access to a tap.
In real-world forensics and incident response, analysts use pcap analysis to reconstruct what happened during an attack or data exfiltration. Tools like
tshark(the command-line version of Wireshark) allow scripted analysis:tshark -r capture.pcap -Y "udp.stream eq 6" -T fields -e data.textextracts payload text without opening a GUI.
Interactive tools
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{StaT31355_636f6e6e}
UDP streams in Wireshark can be followed just like TCP streams - filtering to a specific stream number isolates one conversation's data.