Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Protocol Identification using Payload Content

From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 5 May 2008 22:40:17 +0200
On Mon, May 05, 2008 at 09:12:34PM +0200, Isara Anantavrasilp wrote:
> 
> First of all, I am sorry if my question is not directly related to Wireshark.
> (Actually, I really have no idea where to ask exactly.)
> 
> Anyway, my problem is as follows.
> I need to identify the protocols of the packets in some packet traces.
> In these traces, some small fractions of payloads are available (not
> only headers but not really full-payload).
> As far as I know, Wireshark can identify the protocols of these packets.
> This it is done by matching the packet transportation ports to the
> known application ports.
> 
> However, this method is not reliable. So I would like to identify the
> protocol with protocol signature instead.
> And by "protocol signatures", I mean the specific strings or contents
> of the protocols.
> (Like some HTTP packets got "GET" or "POST" in the packets.)
> 
> Can this be done be Wireshark?

Yes and no, Wireshark uses a mixture of port-mappings, heuristics
(ie signatures) and protocol data of other packets to determine
which dissector should dissect a packet.

However, not all dissectors have some heuristics in place. So I think
you could learn from the Wireshark dissectors to establish a base
of signatures for your program, but it will be far from complete.

> Do you have any idea where I can get such a list protocol signatures?

I would suggest looking at some code of Intrusion Detection systems.

> (It is most likely that I would have to develop an automated
> application for the identification.)

Do you need to label each and every packet to whatever exotic protocol
it might contain? Or would having signatures for a defined list of protocols
be sufficient, marking all the other packets to "Unknown Protocol"?

Cheers,
    Sake