picoCTF Solutions
picoCTF 2021ForensicsMedium

Wireshark doo dooo do doo... picoCTF 2021 Solution

Published: April 2, 2026

Description

Analyze shark1.pcapng to find the flag.

Setup

Download shark1.pcapng.

bash
wget <url>/shark1.pcapng

Solution

Walk me through it
  1. Step 1Find the right TCP stream
    Open shark1.pcapng in Wireshark. Filter to narrow the search before scrolling: by DNS hostname (dns.qry.name contains '...'), by HTTP host, or by raw text content. Then sort streams by length and follow the longest.
    bash
    wireshark shark1.pcapng
    bash
    # In the filter bar, try one of:
    bash
    #   dns.qry.name contains 'example'
    bash
    #   tcp contains 'flag'
    bash
    #   http
    Learn more

    Wireshark is the standard packet analyzer. A .pcapng file stores captured packets with metadata. Right-click any packet and choose Follow > TCP Stream to reassemble the bidirectional conversation.

    How to identify stream 5 specifically. Streams are numbered from 0 in order of first appearance. To pick the right one without checking each by hand:

    • Statistics > Conversations > TCP sorts by bytes per stream. The longest few are usually the interesting ones.
    • Filter with tcp.stream eq 5 once you suspect a number, or filter by content first (tcp contains "Gur synt") and read which stream the matched packet belongs to.
    • tshark can dump every stream programmatically: for i in $(seq 0 20); do tshark -r shark1.pcapng -q -z follow,tcp,ascii,$i; done.

    See Wireshark for CTF for the full filter cheat sheet.

  2. Step 2Decode the ROT13-encoded flag
    The TCP stream contains: 'Gur synt vf cvpbPGS{p33xno00_1_f33_h_qrnqorrs}'. Apply ROT13 to the letters; digits and underscores pass through unchanged.
    bash
    echo "Gur synt vf cvpbPGS{p33xno00_1_f33_h_qrnqorrs}" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
    Learn more

    Worked example. ROT13 shifts each letter by 13 positions, wrapping within case. Non-letters (digits, punctuation, underscores) pass through untouched. So p33xno00 decodes letter-by-letter:

    p -> c   (p is the 16th letter, +13 = 29 -> wrap = 3rd letter = c)
3 -> 3   (digit, unchanged)
3 -> 3
x -> k
n -> a
o -> b
0 -> 0   (digit, unchanged)
0 -> 0

    So p33xno00 -> c33kab00. The tr 'A-Za-z' 'N-ZA-Mn-za-m' pattern handles only alphabetic characters, which is exactly the right semantics: digits and underscores stay put.

Alternate Solution

Once you extract the ROT13 text from the TCP stream, decode it instantly with the ROT / Caesar Cipher tool. Paste the text, set the shift to 13, and the flag appears with no shell command needed.

Flag

picoCTF{...}

Following individual TCP streams isolates one connection's application-layer data. Here the flag was ROT13-encoded within the stream.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Useful tools for Forensics

Related reading

What to try next