Packets Primer | picoCTF 2022 Solutions

Description

A quick win: the PCAP file contains the picoCTF flag as plain ASCII. Running strings or inspecting in Wireshark immediately exposes it.

Setup

Run `strings` on the PCAP to view printable data.

The eighth line already shows the flag; optionally use sed/tr to isolate it.

strings network-dump.flag.pcap | sed -n '8p'

strings network-dump.flag.pcap | sed -n '8p' | tr -d ' '

Step 1Use strings
This capture isn’t even obfuscated. The entire flag sits inside the capture file as ASCII, so `strings` prints it right away.
Step 2Clean the output
Pipe to `sed -n '8p'` and use `tr -d ' '` to remove spaces if necessary.

picoCTF{p4ck37_5h4rk_01b0...}

Not every packet analysis task requires Wireshark; sometimes `strings` is enough.