This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using Packets to Differentiate Between Protocols

0

Hi, I am new to Wireshark. I am hoping to identify and obtain information about the different protocols on the basis of the packet transfers.

To clarify further, I am hoping to differentiate between HTTP, FTP, IMAP and POP3 by analyzing the packets.

I am thinking of using Capture Filters to simplify my task. But I am not sure on to approach the problem.

I have done some research. I need to find out the Total file size. I can get this information by analyzing the packet immediately following the GET Request in case of HTTP download. And use the ACK value to estimate the current number of bytes downloaded. But how do I solve in case of other protocols.

I am hoping to seek information about the Percentage Downloaded, time remaining.

Any help regarding the approach will be highly appreciated. Thanks, Yuvi

This question is marked "community wiki".

asked 01 Aug '12, 09:27

Yuvi's gravatar image

Yuvi
1111
accept rate: 0%

Just out of curiosity: What is the reason for trying to do things this way if you are using Wireshark.

Wireshark already does the dissection/classification for you. :)

What, exactly, kind of analysis are you trying to do ?

You can capture the data and then filter as needed to see different protocols, the bytes for each protocol, etc, etc depending upon your needs.

(01 Aug '12, 09:37) Bill Meier ♦♦

Hi Bill,

Thank you for the quick reply.

I want to write Java program that will do this classification by scanning the packets. I also want to obtain other information like Total file size, bytes downloaded, time remaining etc.

I assume that I can create a Capture Filter to perform this kind of analysis. So what capture filters should I apply to classify these packets?

I understand that Wireshark does it already. It's just I want a Java Program to do this so that I can it for further analysis.

Best Regards, Yuvi

(01 Aug '12, 10:08) Yuvi

I am hoping to seek information about the Percentage Downloaded, time remaining.

"Percentage Downloaded"...
"time remaining"...

do you want to anlayze a "download" while it takes place, to build something like a (forensic) monitoring systems (concluded by the list of protocols)? Can you please add some more information about your plans?

(01 Aug '12, 10:23) Kurt Knochner ♦

@Kurt: Yes. That's one my goals.

Please see the image attached. It is a sample Pcap file. The client initiates a GET request to download a file.

The server returns some information about the file. It returns the content length. I want to capture this information.

And then as when the ACK is received, I will obtain the number of bytes that have been downloaded.

This is my approach for HTTP request. I guess that I need to build some kind of Capture to store this information.

I want to come with a similar approach for other protocols too.

Thanks.

Best Regards, Yuvi alt text

(01 Aug '12, 10:49) Yuvi

One Answer:

1

I'm not sure if Wireshark is the right tool for your system design. I recommend to look at java wrappers for libpcap.

- jNetPcap - http://jnetpcap.com/
- Jpcap - http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/

Regards
Kurt

answered 01 Aug '12, 11:28

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

@Kurt Great. This one seems like a wonderful library. So before I dig deep into this library, can you help me in designing the approach for other protocols.

I need to find out a few Major Information like Total File Size, Bytes Received, Timestamp, Source and Destination IP address.

I assume that my approach is for HTTP is correct(Hopefully).

Please help me with the following: 1. Can you help me design Capture filter so that I view only the relevant packets which contain the information that I need. 2. Generate Capture Filters for the other possible protocols like FTP, IMAP, POP3. ( I guess this is too much to ask for. But any help would be appreciated. :) )

I think that Designing this approach would be helpful before implementation.

Thanks.

Yuvi

(01 Aug '12, 12:03) Yuvi
1

I need to find out a few Major Information like Total File Size, Bytes Received, Timestamp, Source and Destination IP address.

File Size

Unfortunately you cannot determine the "total file size" in a reliable way, while the download takes place.

  • HTTP: There is a HTTP response header called 'Content-Length', which will tell the HTTP client how much data to expect. However, that header is not allways sent by the server, especially, if the content is greated dynamically.

  • FTP: There is a SIZE command in ftp, that tells a client the size of an object. However, it is not required to use that command.

  • POP3 and IMAP: similar situation

Conclusion: It is impossible to determine the size of a "requested object" in advance, at least not in a deterministic way.

Bytes Received

No problem. Just count the bytes received yourself.

Timestamp

No problem. Take the current system time of your capturing systems, as soon as you see the response from the server.

Source and Destination IP address

No problem either, as libpcap will provide that information

(01 Aug '12, 16:31) Kurt Knochner ♦

Fantastic. Thank you so very much. Can you please elaborate what did you mean by "However, it is not required to use that command"

in

"FTP: There is a SIZE command in ftp, that tells a client the size of an object. However, it is not required to use that command."

Thanks you very clarifying everything else. It's a great start for me.

(02 Aug '12, 06:11) Yuvi

It means you cannot determine the size of an object in a sniffer while a transfer takes place.

(02 Aug '12, 06:20) Kurt Knochner ♦