This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello everybody,

I would like to know if it is possible to understand the data sent on a package through a LAN.

Let me explain you my problem, I have two devices connected thanks to a local network (10baseT) and using the IP/TCP protocol. As advised on the Internet, I captured package by using Wireshark and laptop that I connected to the hub located between the two devices.

Indeed, I was able to follow the TCP stream related to the LAN connection. However, the data on the stream are not understandable as they are.

So, I think that the data must be somehow compressed or encrypted before being sent. But, how figure it out?

If anyone has an idea, I'll gladly read it!

Thanks and sorry for my awkward English ;p

asked 04 Mar '13, 07:33

arius57's gravatar image

arius57
16125
accept rate: 0%

However, the data on the stream are not understandable as they are.

What is the protocol you were monitoring? HTTP, HTTPS, anything else? If you can't see a protocol in Wireshark, what is the TCP destination port and what is your expectation about that protocol (what do you think it should be)?

(05 Mar '13, 10:33) Kurt Knochner ♦

I was monitoring a TCP protocol and Wireshark was successfully able to catch and analyze the TCP header of every package. The TCP destination port was number 1126.

On those package, I'm expecting to monitor what kind of command are sent by one device to the other. However, the data on the package described on Wireshark cannot be read in ASCII format for example. I have no idea how I can read them.

(05 Mar '13, 23:23) arius57

However, the data on the package described on Wireshark cannot be read in ASCII format for example. I have no idea how I can read them.

That means the protocol being used is

  • not a text based protocol

and

  • not a protocol that Wireshark knows how to dissect

so you might have to reverse-engineer the protocol by looking at the binary data, or try to find information on that protocols somewhere, for example by seeing whether the makers of the devices have documented it or have said what it is, or by doing a Web search.

permanent link

answered 06 Mar '13, 17:51

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I think I will have no choice but to reverse engineer the protocol because those devices are no longer provided by the markers. Thanks for the answer by the way :)

(06 Mar '13, 23:43) arius57

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(07 Mar '13, 00:49) grahamb ♦

he package described on Wireshark cannot be read in ASCII format for example

well, then it is either compressed or encrypted data, or a binary protocol. Without any information about the protocol (or products) used, it's hard to give any good advice.

Can you post the capture somewhere (google docs, dropbox, cloudshark.org, etc. - beware the privacy issues!).

Regards
Kurt

permanent link

answered 05 Mar '13, 23:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

I can send you a screenshot of a capture on WS by email if you want. Thank you for your answer, I really appreciate your help.

(06 Mar '13, 01:28) arius57

I have also forgotten to tell you that the two devices communicating are: a sun station SPARC5 and a VME147 board.

Those product are very old, so I don't think the data a crypted on a high level. But, that's my point of view which could be wrong, I'm not familiar with this type of communication and products...

(06 Mar '13, 01:35) arius57

I can send you a screenshot of a capture on WS by email if you want.

go ahead. You'll find my email address in my profile.

a sun station SPARC5

You lucky guy. You are for sure one of the last men on earth who own a SPARC 5 ;-)) And it still works ...

(06 Mar '13, 01:48) Kurt Knochner ♦
1

BTW: according to the services file, port 1126 is this:

hpvmmdata 1126/tcp # HP VMM Agent

Is your communication somehow related to HP VMM Agent (whatever that might be)?

(06 Mar '13, 02:02) Kurt Knochner ♦

Yeah this SPARC5 is a survivor!;p

By the way, I sent you an email in the address I found on your website.

(06 Mar '13, 03:06) arius57
1

I've got the image.

BTW: Can you upload the image here? There is nothing in the screenshot that might compromise your data/security.

To me it looks neither encrypted nor compressed. It's rather some form of "binary" protocol. However, without knowledge about the protocol used, its hard to understand what's going on.

What kind of traffic are you monitoring (some form of status update)? What is the client (hardware/software) and what is the server?

(06 Mar '13, 04:03) Kurt Knochner ♦

I cannot upload the image there because my karma is under 60. Sorry.

I'm monitoring an update of an instrument set up operation (voltage in this case).

I set a mass parameter on the SPARC5 (corresponding to a voltage) and the data is send to the VME board through the network. Then, the VME board command an instrument to the voltage I have entered on the SPARC.

It seems that the client is the software on the SPARC and the server is hardware. (no quite sure though)

(06 Mar '13, 06:40) arius57

I cannot upload the image there because my karma is under 60. Sorry.

may I upload it?

I'm monitoring an update of an instrument set up operation (voltage in this case).

OK, so the data in the TCP connection could be voltage values (encoded in some - yet unknown - format).

(06 Mar '13, 08:28) Kurt Knochner ♦

No problem, you can upload it. Thank you as I can't do it myself ;p

(06 Mar '13, 08:43) arius57

I can't upload it either, as there is currently an error message, coming from ask.wireshark.org.

Error uploading file. Please contact the site administrator. Thank you. [Errno 13] Permission denied: '/web/ask.wireshark.org/osqa/forum/upfiles/Capture_pck.jpg'
(06 Mar '13, 08:52) Kurt Knochner ♦

Ah, that's weird...

(06 Mar '13, 09:04) arius57
showing 5 of 11 show 6 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×752
×178
×122
×89

question asked: 04 Mar '13, 07:33

question was seen: 4,605 times

last updated: 07 Mar '13, 00:49

p​o​w​e​r​e​d by O​S​Q​A