Tags: pcap forensic icmp 

Rating:

After analyzing the traffic, we noticed several ICMP packets, the size of which exceeded the usual value.
Apply the wireshark `` icmp && ip.src == 10.211.55.5 && frame.len gt 100`` filter.
![](https://i.imgur.com/mQtIi4U.png)
And we got malicious packets. Export this packages to a separate file.
Using a python script, we will extract the data from malicious icmp to a new file.
```python
import scapy.all as scapy

scapy_cap = scapy.rdpcap('malicious.pcap')
with open('output', 'wb') as f:
for packet in scapy_cap:
f.write(bytes(packet.payload)[28:])
```

And this file will be a picture with a flag.
Thanks for reading:)