1. 使用Wireshark工具打开流量文件http1.pcapng，如下图所示。

2. 在过滤检索栏输入http，wireshark自动进行过滤。

3. 选中其中一条记录后，wireshark 下方显示若干信息。

Frame 81: 925 bytes on wire (7400 bits), 925 bytes captured (7400 bits) on interface eth0, id 0
Ethernet II, Src: IntelCor_ac:91:ad (38:de:ad:ac:91:ad), Dst: PcsCompu_ed:cb:ff (08:00:27:ed:cb:ff)
Internet Protocol Version 4, Src: 192.168.43.173, Dst: 192.168.43.230
Transmission Control Protocol, Src Port: 80, Dst Port: 58648, Seq: 1, Ack: 415, Len: 871
Hypertext Transfer ProtocolHTTP/1.1 200 OK\r\nServer: nginx/1.11.5\r\nDate: Tue, 22 Dec 2020 01:53:46 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nVary: Accept-Encoding\r\nX-Powered-By: PHP/7.2.1\r\nContent-Encoding: gzip\r\n\r\n[HTTP response 1/1][Time since request: 0.039416574 seconds][Request in frame: 80]**[Request URI: http://192.168.43.173/yctf/cmd_exec/index.php?ip=flag%7Byou_can_find_it%7D]**HTTP chunked responseContent-encoded entity body (gzip): 617 bytes -> 1221 bytesFile Data: 1221 bytes
Line-based text data: text/html (36 lines)

在 [Request URI: http://192.168.43.173/yctf/cmd_exec/index.php?ip=flag%7Byou_can_find_it%7D] 里面包含了flag。