Packets Primer picoCTF 2022 Solution

Description

1. Step 1Use strings
   This capture isn't even obfuscated. Running strings prints the readable ASCII inside the file, including the flag.
   Learn more

   PCAP (Packet CAPture) files store raw network traffic recorded by tools like Wireshark, tcpdump, or tshark. The format stores each packet with a timestamp and the full byte content of the captured frame, including headers at every network layer (Ethernet, IP, TCP/UDP, application protocol). Any unencrypted payload transmitted over the network is present verbatim in the file.

   strings scans a binary file and outputs any sequence of printable ASCII characters that meets a minimum length threshold (4 by default). It doesn't understand packet structure - it just finds readable text wherever it appears in the raw bytes. This makes it a fast first pass for PCAP files: if anything interesting was sent in plaintext, strings will show it without needing to understand the protocol.

   The broader lesson is that any data transmitted over an unencrypted network channel is visible to any party who can capture traffic on that path - whether that's the ISP, a coffee shop router, or another host on the same network segment. This is why TLS (Transport Layer Security) is essential for any sensitive communication, and why protocols like HTTP, FTP, and Telnet have been superseded by HTTPS, SFTP, and SSH respectively.

2. Step 2Clean the output
   The first ten or so strings lines are a mix of HTTP headers and ASCII noise; the flag is the eighth line. sed -n '8p' prints just that line, and tr -d ' ' removes any embedded spaces.

   A typical head of the output looks like this:

   Linux 5.4.0
   GET /index.html HTTP/1.1
   Host: 10.0.0.5
   User-Agent: curl/7.81.0
   Accept: */*
   HTTP/1.1 200 OK
   Content-Type: text/plain
   picoCTF{p4ck37_5h4rk_01b0a3a4}
   Content-Length: 31
   Connection: close

   Verify the result matches the picoCTF flag shape before submitting:

   $ FLAG=$(strings network-dump.flag.pcap | sed -n '8p' | tr -d ' ')
   $ [[ "$FLAG" =~ ^picoCTF\{.+\}$ ]] && echo "ok: $FLAG" || echo "no match"
   ok: picoCTF{p4ck37_5h4rk_01b0a3a4}

   Learn more

   When strings extracts text from a binary file, it sometimes includes surrounding whitespace or splits content across multiple output lines depending on how the bytes are laid out. The sed -n '8p' step selects exactly the eighth line of output (which contains the flag in this file), and tr -d ' ' removes any embedded spaces that might have been inserted due to packet boundaries or file structure.

   For more structured PCAP analysis, Wireshark is the industry standard. Its "Follow TCP Stream" feature (right-click any TCP packet → Follow → TCP Stream) reconstructs the full conversation in human-readable form. tshark is the command-line equivalent: tshark -r file.pcap -q -z follow,tcp,ascii,0 prints the first TCP stream as ASCII text. These tools understand protocol structure and can filter, reassemble, and decode specific sessions far more precisely than raw strings.

   This challenge is the first of several in picoCTF that involve PCAP analysis. As the challenges progress, traffic becomes encrypted, protocols become more complex, and simple strings stops being sufficient - building toward skills in protocol dissection and traffic analysis that are directly applicable to network forensics and incident response work.

Flag

Site policy redacts the trailing characters; the full token comes straight from the eighth `strings` line. Not every packet analysis task requires Wireshark.