By Matt Gruskin

The solver should download “trips.pcap” using the download link. The first step is to figure out what kind of file this is, if it’s not clear from the file extension. A Google search for “pcap” would return results indicating that this is a pcap packet capture file.

Alternatively, we may use the Unix file command to identify the file type:

$ file trips.pcap
trips.pcap: tcpdump capture file (little-endian) - version 2.4 (raw IP, capture length 65535)

The tcpdump command line tool can be used to decode the file, or it can be opened in Wireshark. Using tcpdump to decode it would result in the following output:

$ tcpdump -r trips.pcap
reading from file trips.pcap, link-type RAW (Raw IP)
-13:00:00.00000 IP mail37.mxpath.net.discard > fe1-0.soesr3.nyc9.maint.ops.us.uu.net.8: UDP, length 11
-13:00:00.00000 IP > 10-160-58-66.gci.net.3: UDP, length 14
-13:00:00.00000 IP > UDP, length 12
-13:00:00.00000 IP > UDP, length 15
-13:00:00.00000 IP a. > c-50-131-229-144.hsd1.ca.comcast.net.5: UDP, length 14
-13:00:00.00000 IP > ool-44c09340.dyn.optonline.net.6: UDP, length 10
-13:00:00.00000 IP > pool-100-12-116-128.nycmny.fios.verizon.net.3: UDP, length 11
11:00:00.000000 IP > UDP, length 13
11:00:00.000000 IP > UDP, length 15
11:00:00.000000 IP > UDP, length 13

This is a sequence of captured UDP packets. Running tcpdump again with the -X option (to see the contents of the packets) and the -vv option (to check the packet UDP checksums) reveals that the characters in the packet payloads are all X characters (0x58) and spaces (0x20), resulting in incorrect checksums:

$ tcpdump -r trips.pcap -X -vv
reading from file trips.pcap, link-type RAW (Raw IP)
-13:00:00.00000 IP (tos 0x0, id 0, offset 0, flags [none], proto UDP (17), length 39)
    mail37.mxpath.net.discard > fe1-0.soesr3.nyc9.maint.ops.us.uu.net.8: [bad udp cksum 0xbb53 -> 0x7414!] UDP, length 11
        0x0000:  4500 0027 0000 0000 0011 40a6 42b9 a305  E..'......@.B...
        0x0010:  ce40 c621 0009 0008 0013 bb53 5858 5858  .@.!.......SXXXX
        0x0020:  5820 5858 5858 58                        X.XXXXX
-13:00:00.00000 IP (tos 0x0, id 0, offset 0, flags [none], proto UDP (17), length 42) > 10-160-58-66.gci.net.3: [bad udp cksum 0x0f49 -> 0x9d0f!] UDP, length 14
        0x0000:  4500 002a 0000 0000 0011 c24e 5854 bddc  E..*.......NXT..
        0x0010:  423a a00a 0008 0003 0016 0f49 5858 5858  B:.........IXXXX
        0x0020:  5820 5858 5858 5858 5858                 X.XXXXXXXX

The next step is to figure out what characters the Xs in the packet payloads should be, based on packet metadata. For each packet, we know the timestamp when it was received, the source and destination IP addresses, the source and destination port numbers, and the payload length.

The timestamps in the tcpdump look suspicious—why do many of them have negative hours? Running tcpdump again with fuller timestamp formatting (the -tttt option) would result in the following output (we’ll also pass -n now to skip the IP DNS lookups):

$ tcpdump -r trips.pcap -tttt -n
reading from file trips.pcap, link-type RAW (Raw IP)
1914-05-15 -13:00:00.00000 IP > UDP, length 11
1926-05-15 -13:00:00.00000 IP > UDP, length 14
1928-10-16 -13:00:00.00000 IP > UDP, length 12
1930-04-07 -13:00:00.00000 IP > UDP, length 15
1935-01-13 -13:00:00.00000 IP > UDP, length 14
1957-07-17 -13:00:00.00000 IP > UDP, length 10
1964-02-08 -13:00:00.00000 IP > UDP, length 11
1972-02-21 11:00:00.000000 IP > UDP, length 13
1982-08-29 11:00:00.000000 IP > UDP, length 15
1995-02-21 11:00:00.000000 IP > UDP, length 13

These are some old packets! The negative hours field may be confusing, it indicates that the timestamp is actually from the previous day (e.g., 1914-05-15 -13:00:00.00000 is actually a timestamp from 1914-05-14). This is a consequence of how Unix timestamps are used to represent dates before 1970-01-01.

Looking up the IP addresses in an IP geolocation database (e.g., https://geoiptool.com) will reveal locations around the world. For example, the 1964-02-07 packet has a source IP of, which geolocates near London, and it has a destination IP of, which geolocates to New York City.

The combination of February 7, 1964, a starting point of London, and an ending point of New York City, suggests The Beatles’ first trip to the United States. The payload string “THE BEATLES” has a length of 11 bytes, which matches the missing UDP payload length, the pattern of Xs and spaces, and the checksum. Each packet has metadata like this that clues a famous trip.

After solving each of the packets in this way, we know the packet payloads. If we now reorder the packets by their source port numbers, and index into the packet payloads by their destination port numbers, we get the answer PIGEON LAKE.

date source
payload destination
1 1982-08-29 Greenwich, England Greenwich, England RANULPH FIENNES 6 P
2 1935-01-12 Honolulu, Hawaii Oakland, California AMELIA EARHART 5 I
3 1930-04-06 Ahmedabad, India Navsari, India MOHANDAS GANDHI 9 G
4 1964-02-07 London, England Jamaica, Queens, NY THE BEATLES 3 E
5 1995-02-21 Seoul, South Korea Leader, Saskatchewan STEVE FOSSETT 7 O
6 1972-02-21 Washington, D.C. Beijing, China RICHARD NIXON 8 N
7 1957-07-16 Los Alamitos, CA Brooklyn, NY JOHN GLENN 6 L
8 1926-05-14 Vadso, Finnmark, Norway Nome, Alaska (near Teller, Alaska) ROALD AMUNDSEN 3 A
9 1914-05-14 San Diego, CA New York, NY ERWIN BAKER 8 K
10 1928-10-15 Friedrichshafen, Germany Lakehurst, NJ HUGO ECKENER 5 E