picoCTF Solutions

April 12, 2026

Wireshark and pcap Analysis for CTF Forensics

A hands-on guide to analyzing network packet captures (pcap files) in CTF competitions using Wireshark and tshark: following TCP streams, finding credentials, extracting files, and applying display filters.

Introduction

Network forensics challenges give you a packet capture file (usually a .pcap or .pcapngfile) recorded from a real or simulated network. Your job is to find the flag hidden somewhere inside the traffic: in a plaintext HTTP response, embedded in a file transferred over FTP, encoded in DNS queries, or smuggled inside a protocol you wouldn't normally suspect.

Wireshark is the standard tool for this work. It parses and dissects hundreds of protocols, lets you reconstruct TCP streams as readable text, and can export files from network transfers. This guide covers the skills needed for challenges like Packets Primer and Eavesdrop.

Opening a pcap file

Install Wireshark on Ubuntu or Debian:

sudo apt install wireshark

Open a capture file from the command line or via File → Open:

wireshark challenge.pcap
Note: On first launch Wireshark may ask whether non-root users should be able to capture packets. For CTF work you only need to read existing files, so the default setting is fine.

Wireshark also accepts compressed files (.pcap.gz) and the newer .pcapng format that supports multiple interfaces and packet comments.

The Wireshark interface

The Wireshark window has three main panes:

  • Packet list (top): one row per packet, showing number, timestamp, source, destination, protocol, and a summary.
  • Packet details (middle): the dissected protocol tree for the selected packet. Click any row to expand it.
  • Packet bytes (bottom): the raw hex and ASCII representation. Selecting a field in the details pane highlights the corresponding bytes here.

The display filter bar at the top is where you type filters to hide irrelevant packets. Press Enter or the arrow button to apply. The bar turns red for an invalid filter and green for a valid one.

Tip: Use Statistics → Protocol Hierarchy to see a breakdown of which protocols appear in the capture and what fraction of packets each occupies. This is a fast way to spot unexpected protocols that might be carrying the flag.

Following TCP/UDP streams

Reconstructing a complete conversation from individual packets is the most useful forensics operation. Right-click any packet in a TCP flow and choose Follow → TCP Stream. Wireshark reassembles all the packets in that flow into a single readable window, with client data in red and server data in blue.

This instantly shows you the full HTTP request and response, an FTP data transfer, or a shell session. Many CTF flags are directly visible as plaintext in a stream view.

At the bottom of the stream window you can switch the display to:

  • ASCII: printable characters (default)
  • Hex Dump: raw bytes alongside ASCII
  • Raw: the raw byte stream, useful for saving binary data

For UDP flows, use Follow → UDP Stream. DNS challenges often benefit from Follow → DNS Stream which groups query/response pairs.

Display filters

Display filters narrow the packet list to only the packets you care about. Wireshark uses its own filter language (not Berkley Packet Filter). Some essential filters:

FilterWhat it matches
httpAll HTTP traffic
tcp.port == 4444Traffic on a specific port
ip.addr == 10.0.0.5Traffic to or from a specific IP
http.request.method == "POST"HTTP POST requests only
ftp-dataFTP data transfers (the actual file contents)
dnsAll DNS queries and responses
tcp contains "picoCTF"TCP packets whose payload includes that string
frame contains "flag"Any packet containing the word flag
http.response.code == 200Successful HTTP responses
!(arp || dns)Hide ARP and DNS noise
Tip: Use tcp contains "picoCTF{" as a quick flag search. The braces are safe because they appear in the middle of the string, not as filter syntax.

Finding credentials

Plaintext protocols like HTTP (not HTTPS), FTP, Telnet, and POP3 transmit usernames and passwords in the clear. Wireshark can extract them automatically:

Go to Tools → Credentials. Wireshark scans the capture for known credential patterns across dozens of protocols and lists them in a separate window with the packet number, protocol, username, and password.

For HTTP Basic Auth, filter to http.authbasic and read the Authorization header. The value is Base64-encoded; decode it to recover username:password.

# Decode HTTP Basic Auth from the terminal
echo 'dXNlcjpwYXNz' | base64 -d
# user:pass

Extracting files from captures

Files transferred over HTTP, FTP, SMB, or TFTP are reconstructed by Wireshark automatically. Go to File → Export Objects and choose the protocol. Wireshark lists every transferred file with its filename and size. Save the ones you want to disk.

For protocols not in the Export Objects menu, follow the TCP stream, switch the view to Raw, then click Save As to write the raw bytes to a file.

Note: Always run file on any extracted binary to check its true type. The transferred data might be a ZIP, PNG, or PDF that was stored with a misleading extension.

tshark on the command line

tshark is the command-line version of Wireshark. It is invaluable when you want to grep, pipe, or script analysis of a large capture without a GUI.

# List all HTTP requests
tshark -r capture.pcap -Y 'http.request' -T fields \
  -e ip.src -e http.request.method -e http.request.uri
# Print every DNS query name
tshark -r capture.pcap -Y 'dns.qry.name' -T fields -e dns.qry.name
# Follow TCP stream 0 and print as ASCII
tshark -r capture.pcap -q -z follow,tcp,ascii,0
# Extract all HTTP objects to a folder
tshark -r capture.pcap --export-objects http,/tmp/exported_files
# Search for the flag in any packet payload
strings capture.pcap | grep 'picoCTF'
Tip: The strings trick at the bottom works surprisingly often. Before doing any analysis, run strings capture.pcap | grep -i 'picoctf\\|flag' to see if the flag is sitting in plaintext anywhere in the file.

Common CTF patterns

Flag in HTTP response body

The most common beginner pattern. Filter to http, follow the stream of a suspicious request, and read the response. The flag may be in the HTML body, a JSON field, or a custom header.

Flag in DNS exfiltration

Flags are sometimes encoded as subdomain labels in DNS queries, e.g. cGljb0NURg.attacker.com. Filter to dns, look at the query names, and base64-decode the subdomain. Use tshark to extract all names at once:

tshark -r cap.pcap -Y dns -T fields -e dns.qry.name | sort -u

Credentials used as the flag

Some challenges are solved by finding a username or password that is itself the flag, or leads to a service where the flag lives. Use Tools → Credentials or filter to the relevant plaintext protocol.

Unusual protocol

Check Statistics → Protocol Hierarchy. If you see an unexpected protocol like ICMP with large payloads, raw TCP on a non-standard port, or an unrecognized stream, that is usually the carrier for the hidden data.

Quick reference

FilterWhat it matches
Follow TCP StreamRight-click packet -> Follow -> TCP Stream
Export HTTP filesFile -> Export Objects -> HTTP
Find credentialsTools -> Credentials
Protocol breakdownStatistics -> Protocol Hierarchy
Conversation statsStatistics -> Conversations
strings + grepstrings capture.pcap | grep picoCTF
tshark fieldstshark -r cap.pcap -Y 'filter' -T fields -e field.name

Practice with: Packets Primer, Eavesdrop.