Recently, I competed in a CTF where one of the flags was hidden inside of a PDF which was transfered over Wireshark. Here is the process I used.

Open the PCAP in Wireshark

and find the data that was transfered. In my case it was straight forward: the pdf’s name was in the info: find pcap

Follow the TCP Stream

Right click and select “Follow TCP Stream” and select Show and save data as **Raw**. follow tcp stream

Save as PDF

Finally select Save as and name it with the extension .pdf: save as pdf


You should be able to open the pdf now.