[Dailydave] Unknown Application Protocol Analysis
Matt Beaumont
mattb at cs.ucla.edu
Wed Sep 6 13:15:28 EST 2006
On Wed, Sep 06, 2006 at 22:59:31 +0800, Rhys Kidd wrote:
> I know it's fairly easy to look at small subsets of traffic manually,
> looking for the \x00 and slowly guess-timate where fields begin and end,
> what constitute a record, what are static offsets etc, but I'm imagining a
> tool that would take in a batch of traffic and work out roughly what's what,
> seeing the big picture.
>
> I'd imagine this tool would run a first check, looking for what might
> constitute discrete units of information, (possibly all those bounded by
> \x00).
Look into Marshall Beddoe's "Protocol Informatics" research (unfortunately,
his website has been defunct for a while), and "Protocol-Independent Adaptive
Replay of Application Dialog" [1], by Cui et al. Not quite sure if that's what
you're after, but even if not, trawling through the references in the latter
work might get you somewhere.
Cheers,
Matt
[1] http://www.icsi.berkeley.edu/pubs/networking/CPWK06.pdf
More information about the Dailydave
mailing list