picoCTF Solutions
picoCTF 2019ForensicsMedium

shark on wire 2 picoCTF 2019 Solution

Published: April 2, 2026

Description

Find what is being sent across the network. The flag is encoded in the UDP destination port numbers sent by a specific host.

Setup

Download the pcap file and open it in Wireshark.

Solution

Walk me through it
  1. Step 1Isolate UDP traffic from the relevant source host
    Open the pcap in Wireshark. Filter for UDP traffic and look at the destination port numbers. One source IP (e.g., 10.0.0.66) sends many UDP packets where the last three digits of the destination port change each time. Filter by that source address with 'ip.src == <source_ip>'.
    bash
    wireshark capture.pcap
    bash
    # In Wireshark filter bar: ip.src == <source_ip> && udp
    Learn more

    Network covert channels encode data in protocol fields that are normally ignored. UDP destination port numbers are freely chosen by the sender in the high-port range (1024-65535). Using them as a covert channel produces traffic that looks like normal application chatter to a basic traffic monitor.

  2. Step 2Read the ASCII values from the destination port numbers
    Sort the filtered packets by time. Read the last three digits of each UDP destination port number in order. Each value is an ASCII character code. Extract them with tshark and process in Python.
    bash
    tshark -r capture.pcap -Y 'udp && ip.src == <source_ip>' -T fields -e udp.dstport
    Learn more

    Look for start and stop markers in the port sequence (e.g., a port value of 'start' or a distinctive marker port). The characters between the start and end markers spell the flag.

  3. Step 3Assemble the flag from the port number sequence
    Convert each relevant port number's value (or its last three digits) to the corresponding ASCII character. Concatenate them in packet order.
    python
    python3 << 'EOF'
# Paste port numbers from tshark output
ports = [1112, 1105, 1099, 1111, 1067, 1084, 1070, ...]  # example

flag = ''
for p in ports:
    code = p % 1000  # last three digits
    if 32 <= code <= 126:
        flag += chr(code)
print(flag)
EOF
    Learn more

    This covert channel is difficult to detect with basic network monitoring because packet sizes and frequencies look normal. The data is hidden in the port number field rather than the payload - tools that only inspect payloads for signatures would miss it entirely.

Flag

picoCTF{...}

The flag is encoded in the UDP destination port numbers - extract port numbers from the relevant source host and convert each to its ASCII character.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Forensics

Related reading

What to try next