Hi,
thanks a lot for the reply!
Followings are my reply to your suggestions.
On Mon, May 5, 2008 at 10:40 PM, Sake Blok <sake@xxxxxxxxxx> wrote:
> On Mon, May 05, 2008 at 09:12:34PM +0200, Isara Anantavrasilp wrote:
> >
> > First of all, I am sorry if my question is not directly related to Wireshark.
> > (Actually, I really have no idea where to ask exactly.)
> >
> > Anyway, my problem is as follows.
> > I need to identify the protocols of the packets in some packet traces.
> > In these traces, some small fractions of payloads are available (not
> > only headers but not really full-payload).
> > As far as I know, Wireshark can identify the protocols of these packets.
> > This it is done by matching the packet transportation ports to the
> > known application ports.
> >
> > However, this method is not reliable. So I would like to identify the
> > protocol with protocol signature instead.
> > And by "protocol signatures", I mean the specific strings or contents
> > of the protocols.
> > (Like some HTTP packets got "GET" or "POST" in the packets.)
> >
> > Can this be done be Wireshark?
>
> Yes and no, Wireshark uses a mixture of port-mappings, heuristics
> (ie signatures) and protocol data of other packets to determine
> which dissector should dissect a packet.
So, you mean that when Wireshark tells me that packet X belongs to
protocol Y, it doesnt use just transportation port?
>
> However, not all dissectors have some heuristics in place. So I think
> you could learn from the Wireshark dissectors to establish a base
> of signatures for your program, but it will be far from complete.
I suppose I should look at the Wireshark code then.
I hate to ask, but does anyone know where (roughly) these heuristics are?
I believe they must be stored on some files, right?
>
>
> > Do you have any idea where I can get such a list protocol signatures?
>
> I would suggest looking at some code of Intrusion Detection systems.
>
>
> > (It is most likely that I would have to develop an automated
> > application for the identification.)
>
> Do you need to label each and every packet to whatever exotic protocol
> it might contain? Or would having signatures for a defined list of protocols
> be sufficient, marking all the other packets to "Unknown Protocol"?
>
No, I do not have to specify every packets. Just the protocols I am concerned.
The thing is that the signature database I have is very much limited
while the traces that I got are pretty huge.
And they contain large varieties of protocols.
Indeed, I could concentrate only on the protocols already have,
but that means I would have to throw away a very large part of the data.
So, if I could obtain larger signature database, I can make a better
use of my data.
Thanks again!
Cheers,
Isara
