Wireshark-users: Re: [Wireshark-users] Protocol Identification using Payload Content
On Mon, May 05, 2008 at 09:12:34PM +0200, Isara Anantavrasilp wrote:
>
> First of all, I am sorry if my question is not directly related to Wireshark.
> (Actually, I really have no idea where to ask exactly.)
>
> Anyway, my problem is as follows.
> I need to identify the protocols of the packets in some packet traces.
> In these traces, some small fractions of payloads are available (not
> only headers but not really full-payload).
> As far as I know, Wireshark can identify the protocols of these packets.
> This it is done by matching the packet transportation ports to the
> known application ports.
>
> However, this method is not reliable. So I would like to identify the
> protocol with protocol signature instead.
> And by "protocol signatures", I mean the specific strings or contents
> of the protocols.
> (Like some HTTP packets got "GET" or "POST" in the packets.)
>
> Can this be done be Wireshark?
Yes and no, Wireshark uses a mixture of port-mappings, heuristics
(ie signatures) and protocol data of other packets to determine
which dissector should dissect a packet.
However, not all dissectors have some heuristics in place. So I think
you could learn from the Wireshark dissectors to establish a base
of signatures for your program, but it will be far from complete.
> Do you have any idea where I can get such a list protocol signatures?
I would suggest looking at some code of Intrusion Detection systems.
> (It is most likely that I would have to develop an automated
> application for the identification.)
Do you need to label each and every packet to whatever exotic protocol
it might contain? Or would having signatures for a defined list of protocols
be sufficient, marking all the other packets to "Unknown Protocol"?
Cheers,
Sake
