Hi,
How can I find out what application protocol the data in a TCP packet belongs to?
(example: if it is FTP,HTTP,MSN Messenger etc…)
I got the packets from an NDIS Protocol Driver
Thanks!!
Regards
The short answer is, you look inside the packets and the data stream.
If quick decisions are to be made, then people often use the IANA
assigned port numbers to decide which protocol is being transmitted.
e.g. FTP server is assigned port 21.
HTTP server is assigned port 80
This can be easily fooled by moving the servers to bind to other ports.
So to get truly meaningful analysis of what is going on you need to
not just inspect the TCP packet, but maintain stateful information
across the TCP stream. I.e. looking at 1492 bytes in a TCP packet
that is the 4635th packet in 10 GB stream is not going to tell you
anything unless you’ve statefully tracked the TCP stream from its creation.
For some ideas about protocol and stream analysis you might want to
look at the Wireshark sources and the Microsoft NetMon SDK could have
some useful info.
Mark.
At 13:12 25/02/2011, xxxxx@hotmail.com wrote:
Hi,
How can I find out what application protocol the data in a TCP
packet belongs to?
(example: if it is FTP,HTTP,MSN Messenger etc…)I got the packets from an NDIS Protocol Driver
Thanks!!
Regards
I see, so I must look at the data of multiple packets in a stream and determine what the protocol is,
however i have question what about propriety protocols?? (i.e i cant determine what they are by looking at the data since i don’t know the protocol definition)
xxxxx@hotmail.com wrote:
I see, so I must look at the data of multiple packets in a stream and determine what the protocol is,
however i have question what about propriety protocols?? (i.e i cant determine what they are by looking at the data since i don’t know the protocol definition)
There is no way, of course. I would hope that is obvious. Step back
and think about the problem. You are handed a random block of bytes,
and asked to answer the question “what is this?” Except for a few
well-known cases, that question is virtually impossible to answer.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
At 15:24 25/02/2011, xxxxx@hotmail.com wrote:
I see, so I must look at the data of multiple packets in a stream
and determine what the protocol is,
however i have question what about propriety protocols?? (i.e i cant
determine what they are by looking at the data since i don’t know
the protocol definition)
Yes, you almost always need to see the stream from it’s creation in
order to know what the data in any packet means. Too many people
forget that TCP is a stream and not a block protocol, it provides no
facility for aligning and sending data on known boundaries. Quite
often on a local network you may see TCP packets that appear to
contain consistent formatting, but this is misleading since it is
perfectly legal for TCP to be reduced to sending 1 byte, or any size
that a congested router feels it can send at the time.
Why are you worried about proprietary protocols ? If you don’t have
a document describing the protocol, how on earth do you expect to be
able to write a decoder for it barring lots of hard work reverse
engineering packet captures ?
What is it you’re doing here ? Attempting to write some sort of firewall ?
Mark.
The aim is to record every type of packet that enters the system.
(i.e if its a http record that an http packet entered etc…)
is there a better way to do this?
Thanks for all your replays !!!