Dailydave mailing list archives
Re: Unknown Application Protocol Analysis
From: Matt Beaumont <mattb () cs ucla edu>
Date: Wed, 6 Sep 2006 11:15:28 -0700
On Wed, Sep 06, 2006 at 22:59:31 +0800, Rhys Kidd wrote:
I know it's fairly easy to look at small subsets of traffic manually, looking for the \x00 and slowly guess-timate where fields begin and end, what constitute a record, what are static offsets etc, but I'm imagining a tool that would take in a batch of traffic and work out roughly what's what, seeing the big picture. I'd imagine this tool would run a first check, looking for what might constitute discrete units of information, (possibly all those bounded by \x00).
Look into Marshall Beddoe's "Protocol Informatics" research (unfortunately, his website has been defunct for a while), and "Protocol-Independent Adaptive Replay of Application Dialog" [1], by Cui et al. Not quite sure if that's what you're after, but even if not, trawling through the references in the latter work might get you somewhere. Cheers, Matt [1] http://www.icsi.berkeley.edu/pubs/networking/CPWK06.pdf _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Unknown Application Protocol Analysis Rhys Kidd (Sep 06)
- Re: Unknown Application Protocol Analysis Matt Beaumont (Sep 06)
- Re: Unknown Application Protocol Analysis Dustin D. Trammell (Sep 06)
- Re: Unknown Application Protocol Analysis William McVey (Sep 06)
- Re: Unknown Application Protocol Analysis Jared DeMott (Sep 07)