Recently, I competed in a CTF where one of the flags was hidden inside of a PDF which was transfered over Wireshark. Here is the process I used.
Open the PCAP in Wireshark
and find the data that was transfered. In my case it was straight forward: the pdf’s name was in the info:
Follow the TCP Stream
Right click and select “Follow TCP Stream” and select
Show and save data as **Raw**.
Save as PDF
Save as and name it with the extension
You should be able to open the pdf now.