The police have retrieved a network trace of some suspicious activity. Most of the traffic is users viewing their own profiles on a social networking website, but one of the users on the network downloaded a file from the Thyrin Labs VPN and spoofed their IP address in order to hide their identity. Can you figure out the last name of person that accessed the Thyrin files, and the two source IP addresses they used?
[Example valid flag format: "davis,192.168.50.6,192.168.50.7"]

PCAP file available here[1]. You can also view it on CloudShark[2]

hint:The IP address was changed, but what about the MAC Address[3]?

[1]https://picoctf.com/problem-static/forensics/spoof-proof/traffic.pcap
[2]https://www.cloudshark.org/captures/44e55fba6c1b
[3]http://www.differencebetween.net/technology/difference-between-mac-and-ip-address/