Dailydave mailing list archives

Re: Unknown Application Protocol Analysis

From: Matt Beaumont <mattb () cs ucla edu>
Date: Wed, 6 Sep 2006 11:15:28 -0700

On Wed, Sep 06, 2006 at 22:59:31 +0800, Rhys Kidd wrote:

I know it's fairly easy to look at small subsets of traffic manually,
looking for the \x00 and slowly guess-timate where fields begin and end,
what constitute a record, what are static offsets etc, but I'm imagining a
tool that would take in a batch of traffic and work out roughly what's what,
seeing the big picture.

I'd imagine this tool would run a first check, looking for what might
constitute discrete units of information, (possibly all those bounded by
\x00).


Look into Marshall Beddoe's "Protocol Informatics" research (unfortunately,
his website has been defunct for a while), and "Protocol-Independent Adaptive
Replay of Application Dialog" [1], by Cui et al. Not quite sure if that's what
you're after, but even if not, trawling through the references in the latter
work might get you somewhere.

Cheers,
Matt

[1] http://www.icsi.berkeley.edu/pubs/networking/CPWK06.pdf
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Unknown Application Protocol Analysis Rhys Kidd (Sep 06)
- Re: Unknown Application Protocol Analysis Matt Beaumont (Sep 06)
- Re: Unknown Application Protocol Analysis Dustin D. Trammell (Sep 06)
- Re: Unknown Application Protocol Analysis William McVey (Sep 06)
- Re: Unknown Application Protocol Analysis Jared DeMott (Sep 07)