A brief network trace from Acme Electronics’ internal payment gateway shows unusual activity. Examine the PCAP to answer the questions.
Q1 (5 pts) - The messages in the PCAP follow which standard financial message format?
ISO 8583
Q2 (5 pts) - Which version of the protocol is used in these messages?
1987
Q3 (40 pts) - How many PANs appear more than once in the transactions?
4
Q4 (50 pts) - What STAN is associated with the replayed request ?
918939
This was one of the most difficult challenges for me, and I needed outside help to finish the protocol parsing accurately.
I started by identifying the financial message format used in the capture. After searching for standard payment message formats used in packet analysis, I landed on ISO 8583. I then opened the traffic in Wireshark and confirmed that the structure matched ISO 8583:1987.
Q3 / Q4 — These were the hardest questions in the challenge. I tried to get the Wireshark ISO 8583 tooling to work, but it would not decode the traffic correctly. I reinstalled it and checked the preferences, but the problem remained. At that point, I used AI assistance to help me parse the payloads more directly.
It suggested the following command:
tshark -r transactions.pcap -Y tcp -T fields -e tcp.stream -e data > payloads.txt
It then provided a script to isolate the repeated PAN values and corresponding STAN fields:
for h in lines:
if not h.startswith("f0f1f0f0"): # 0100 requests only
continue
# bytes after MTI+bitmap
body = h[24:]
# field 2 length
ll = ebcdic_digits(body[:4])
if ll is None:
continue
pan_len = int(ll)
pan_hex_len = pan_len * 2
pan = ebcdic_digits(body[4:4+pan_hex_len])
if pan is None:
continue
rest = body[4+pan_hex_len:]
# skip DE3 (6), DE4 (12), DE7 (10) = 28 digits = 56 hex chars
de11_hex = rest[56:68]
stan = ebcdic_digits(de11_hex)
reqs.append((pan, stan, h))
from collections import Counter
counts = Counter(p for p,_,_ in reqs)
print("Repeated PAN count:", sum(1 for k,v in counts.items() if v > 1))
print("Repeated PANs:")
for pan,c in counts.items():
if c > 1:
print(pan, c)
print("\nRequests by repeated PAN:")
for pan, stan, raw in reqs:
if counts[pan] > 1:
print("PAN:", pan, "STAN:", stan)
PY
Repeated PAN count: 4
Repeated PANs:
4043321819600132 2
4838637940262 2
372351161559403 2
3596532871012262 2
Requests by repeated PAN:
PAN: 4043321819600132 STAN: 256788
PAN: 4838637940262 STAN: 031245
PAN: 372351161559403 STAN: 439899
PAN: 4043321819600132 STAN: 163033
PAN: 4838637940262 STAN: 638721
PAN: 3596532871012262 STAN: 918939
PAN: 372351161559403 STAN: 565580
PAN: 3596532871012262 STAN: 918939
Given the remaining time in the competition, I used that output to finish the challenge instead of continuing to troubleshoot the Wireshark decoder.