I opened the file in WireShark and looked through the contents. Most of the contents were encrypted TLS1.3, which are not easy to decrypt. I decided to check available files from HTTP, and there was something suspicious. I extracted html file and opened it in the browser. Press the button and get the flag!

##### Flag: sdctf{G3T_F*cK3d_W1r3SHaRK}

Original writeup (https://github.com/ninnikukawaii/write-ups/tree/master/San%20Diego%20CTF%202022/forensics/flag-trafficker).