Description
A network capture file hides the flag in plaintext inside one of its packets. Run strings on the file to surface it without needing Wireshark.
Setup
Download trace.pcap.
Run strings on it and grep for pico to find the flag immediately.
wget https://artifacts.picoctf.net/c/371/trace.pcapstrings trace.pcap | grep picoSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Run strings and grep for the flagObservationI noticed the challenge provided a raw PCAP file and the setup hint mentioned plaintext packet data, which suggested that the flag was stored unencoded in the file bytes and could be surfaced with the strings command rather than requiring Wireshark.The flag is embedded in plaintext inside a packet payload. A simple strings command surfaces every printable run of bytes in the file. Piping through grep pico finds the flag in one step without opening Wireshark.bashstrings trace.pcap | grep picoExpected output
picoCTF{P64P_4N4L1515_15_Fun_A8777...f}What didn't work first
Tried: Opening trace.pcap in Wireshark and scrolling through individual packets looking for the flag.
Wireshark displays packet bytes one frame at a time, so you have to scroll through dozens of packets manually. The strings pipeline collapses the entire file into printable runs and grep pinpoints the flag in one command, making Wireshark unnecessary for this challenge.
Tried: Running strings trace.pcap without piping to grep, then searching the terminal output visually.
The raw strings output for a PCAP is hundreds of lines of protocol headers, HTTP noise, and random printable garbage. Without grep pico the flag is buried in the scroll. Adding grep pico filters the output down to the one matching line immediately.
Learn more
PCAP files store raw network traffic. Packet payloads are just byte sequences, and when the application protocol transmits data in plaintext, the flag shows up verbatim in the file bytes. The
stringscommand extracts every run of printable characters, so a single pipeline finds plaintext flags without any protocol-level analysis.This is the first triage step for any forensics challenge involving a packet capture: try
strings file.pcap | grep picobefore reaching for Wireshark. It works whenever the flag is transmitted as unencoded ASCII in a single contiguous packet payload.If strings comes up empty, open the capture in Wireshark and use Follow TCP/UDP Stream to reassemble the application-layer conversation. The challenge is named PcapPoisoning as a hint about TCP injection, but the flag is accessible by the simpler strings path.
Interactive tools
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{P64P_4N4L1515_15_Fun_A8777...f}
strings trace.pcap | grep pico returns the flag directly.