The challenge provides `file.pcapng`. Opened in `wireshark`, it contains some DNS traffic. Given the challenge name and the capture contents, this seemed likely to be DNS tunneling, and the appearance of `dnscat` references confirmed the theory.

I researched `dnscat` and found that the first 9 bytes of each transmission are not part of the payload, the rest is the hex encoded message.

I ultimately overcomplicated this one, and messed about with various `scapy` based python scripts to splice the various `dnscat` messages together and decode the result. In the end I just needed to decode the one message that was notably longer than the others.

$ echo 5a6d78685a337445626c4e6664485675626a4d7a4d.3278734d5446755a32646e66516f3d0a | xxd -r -p
ZmxhZ3tEblNfdHVubjMzM2xsMTFuZ2dnfQo=

And base64 decode it

$ echo ZmxhZ3tEblNfdHVubjMzM2xsMTFuZ2dnfQo= | base64 -d
flag{DnS_tunn333ll11nggg}