Ping.pong.balls.7z »

Opening the PCAP in , you will notice a high volume of ICMP packets. Filter the traffic: icmp.type == 8 (Echo Request). Look at the Data tab in the packet bytes pane.

A long string that, when decoded, provides the flag. 💡 Tools for the Job Wireshark: For visual flow analysis. Ping.Pong.Balls.7z

A simple scapy script can automate the extraction if the packet count is in the thousands. Opening the PCAP in , you will notice

To solve this, you must extract the hex data from each packet in chronological order. A long string that, when decoded, provides the flag

tshark -r capture.pcap -Y "icmp.type == 8" -T fields -e data > hex_dump.txt Use code with caution. Copied to clipboard 3. Data Recomposition The extracted data is typically one of two things:

Depending on the specific version of this challenge, the payload usually results in: