We are given a pcap of a CAN bus that does not have too many different packets. When reading the packets we see that some seem to have text in them, in their data field. We also see a few packets that interest us:
- the one which has
FCSChas id 2 and is an extended packet - the one which has
{has id 2 and is not an extended packet - the one which has
}has the highest id of 68
So we probably need to sort the packets by ID, and if two have the same ID, then we sort by putting the extended packet first.
This command does just that:
tshark -r canflag.pcap -T fields -e can.flags.xtd -e can.id -e data.data | sort -k2,2n -k1,1r| awk '{ print $3 }' | tr -d '\n' | xxd -r -p
And we get the flag.