Wireshark-users: Re: [Wireshark-users] Protocol Identification using Payload Content
From: "Isara Anantavrasilp" <isara.a@xxxxxxxxx>
Date: Tue, 6 May 2008 01:43:50 +0200
Hi,

thanks a lot for the reply!
Followings are my reply to your suggestions.

On Mon, May 5, 2008 at 10:40 PM, Sake Blok <sake@xxxxxxxxxx> wrote:
> On Mon, May 05, 2008 at 09:12:34PM +0200, Isara Anantavrasilp wrote:
>  >
>  > First of all, I am sorry if my question is not directly related to Wireshark.
>  > (Actually, I really have no idea where to ask exactly.)
>  >
>  > Anyway, my problem is as follows.
>  > I need to identify the protocols of the packets in some packet traces.
>  > In these traces, some small fractions of payloads are available (not
>  > only headers but not really full-payload).
>  > As far as I know, Wireshark can identify the protocols of these packets.
>  > This it is done by matching the packet transportation ports to the
>  > known application ports.
>  >
>  > However, this method is not reliable. So I would like to identify the
>  > protocol with protocol signature instead.
>  > And by "protocol signatures", I mean the specific strings or contents
>  > of the protocols.
>  > (Like some HTTP packets got "GET" or "POST" in the packets.)
>  >
>  > Can this be done be Wireshark?
>
>  Yes and no, Wireshark uses a mixture of port-mappings, heuristics
>  (ie signatures) and protocol data of other packets to determine
>  which dissector should dissect a packet.

So, you mean that when Wireshark tells me that packet X belongs to
protocol Y, it doesnt use just transportation port?

>
>  However, not all dissectors have some heuristics in place. So I think
>  you could learn from the Wireshark dissectors to establish a base
>  of signatures for your program, but it will be far from complete.

I suppose I should look at the Wireshark code then.
I hate to ask, but does anyone know where (roughly) these heuristics are?
I believe they must be stored on some files, right?

>
>
>  > Do you have any idea where I can get such a list protocol signatures?
>
>  I would suggest looking at some code of Intrusion Detection systems.
>
>
>  > (It is most likely that I would have to develop an automated
>  > application for the identification.)
>
>  Do you need to label each and every packet to whatever exotic protocol
>  it might contain? Or would having signatures for a defined list of protocols
>  be sufficient, marking all the other packets to "Unknown Protocol"?
>

No, I do not have to specify every packets. Just the protocols I am concerned.

The thing is that the signature database I have is very much limited
while the traces that I got are pretty huge.
And they contain large varieties of protocols.
Indeed, I could concentrate only on the protocols already have,
but that means I would have to throw away a very large part of the data.
So, if I could obtain larger signature database, I can make a better
use of my data.

Thanks again!

Cheers,
Isara