picoCTF Solutions
PathPart of the Digital Forensics path · Step 2 of 5: Network Packet Analysis
picoCTF 2022ForensicsMedium

Packets Primer

Published: July 20, 2023

Description

A quick win: the PCAP file contains the picoCTF flag as plain ASCII. Running strings or inspecting in Wireshark immediately exposes it.

Setup

Download network-dump.flag.pcap

Run `strings` on the PCAP to view printable data.

The eighth line already shows the flag; optionally use sed/tr to isolate it.

strings network-dump.flag.pcap | sed -n '8p'
strings network-dump.flag.pcap | sed -n '8p' | tr -d ' '

Solution

  1. Step 1Use strings
    This capture isn't even obfuscated. The entire flag sits inside the capture file as ASCII, so `strings` prints it right away.
    Learn more

    PCAP (Packet CAPture) files store raw network traffic recorded by tools like Wireshark, tcpdump, or tshark. The format stores each packet with a timestamp and the full byte content of the captured frame, including headers at every network layer (Ethernet, IP, TCP/UDP, application protocol). Any unencrypted payload transmitted over the network is present verbatim in the file.

    strings scans a binary file and outputs any sequence of printable ASCII characters that meets a minimum length threshold (4 by default). It doesn't understand packet structure - it just finds readable text wherever it appears in the raw bytes. This makes it a fast first pass for PCAP files: if anything interesting was sent in plaintext, strings will show it without needing to understand the protocol.

    The broader lesson is that any data transmitted over an unencrypted network channel is visible to any party who can capture traffic on that path - whether that's the ISP, a coffee shop router, or another host on the same network segment. This is why TLS (Transport Layer Security) is essential for any sensitive communication, and why protocols like HTTP, FTP, and Telnet have been superseded by HTTPS, SFTP, and SSH respectively.

  2. Step 2Clean the output
    Pipe to `sed -n '8p'` and use `tr -d ' '` to remove spaces if necessary.
    Learn more

    When strings extracts text from a binary file, it sometimes includes surrounding whitespace or splits content across multiple output lines depending on how the bytes are laid out. The sed -n '8p' step selects exactly the eighth line of output (which contains the flag in this file), and tr -d ' ' removes any embedded spaces that might have been inserted due to packet boundaries or file structure.

    For more structured PCAP analysis, Wireshark is the industry standard. Its "Follow TCP Stream" feature (right-click any TCP packet → Follow → TCP Stream) reconstructs the full conversation in human-readable form. tshark is the command-line equivalent: tshark -r file.pcap -q -z follow,tcp,ascii,0 prints the first TCP stream as ASCII text. These tools understand protocol structure and can filter, reassemble, and decode specific sessions far more precisely than raw strings.

    This challenge is the first of several in picoCTF that involve PCAP analysis. As the challenges progress, traffic becomes encrypted, protocols become more complex, and simple strings stops being sufficient - building toward skills in protocol dissection and traffic analysis that are directly applicable to network forensics and incident response work.

Flag

picoCTF{p4ck37_5h4rk_01b0...}

Not every packet analysis task requires Wireshark; sometimes `strings` is enough.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Forensics

Related reading

Do these first

What to try next