Packets Primer

Download the packet capture file and use packet analysis software to find the flag.

For this challenge we can use wireshark to inspect the pcap file. Upon doing so, we see 9 packets.

If we look at the protocol field of the packets, 4 of these are ARP packets. To filer these out we can do !arp.

These leaves us with 5 packets, the first 3 are in the connection setup phase (TCP handshake).

Let’s look at the packet with the PSH flag set, instructing the receiver to push the data immediately from the buffer to the application.

If we click on the packet we can see that the flag is contained in the payload.

PICO Network Forensics