Tags: pcap forensic icmp 


After analyzing the traffic, we noticed several ICMP packets, the size of which exceeded the usual value.
Apply the wireshark `` icmp && ip.src == && frame.len gt 100`` filter.
And we got malicious packets. Export this packages to a separate file.
Using a python script, we will extract the data from malicious icmp to a new file.
import scapy.all as scapy

scapy_cap = scapy.rdpcap('malicious.pcap')
with open('output', 'wb') as f:
for packet in scapy_cap:

And this file will be a picture with a flag.
Thanks for reading:)