Hello everybody, I would like to know if it is possible to understand the data sent on a package through a LAN. Let me explain you my problem, I have two devices connected thanks to a local network (10baseT) and using the IP/TCP protocol. As advised on the Internet, I captured package by using Wireshark and laptop that I connected to the hub located between the two devices. Indeed, I was able to follow the TCP stream related to the LAN connection. However, the data on the stream are not understandable as they are. So, I think that the data must be somehow compressed or encrypted before being sent. But, how figure it out? If anyone has an idea, I'll gladly read it! Thanks and sorry for my awkward English ;p asked 04 Mar '13, 07:33  arius57 |
2 Answers:
That means the protocol being used is
and
so you might have to reverse-engineer the protocol by looking at the binary data, or try to find information on that protocols somewhere, for example by seeing whether the makers of the devices have documented it or have said what it is, or by doing a Web search. answered 06 Mar '13, 17:51  Guy Harris ♦♦ I think I will have no choice but to reverse engineer the protocol because those devices are no longer provided by the markers. Thanks for the answer by the way :) (06 Mar '13, 23:43) arius57 If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information. (07 Mar '13, 00:49) grahamb ♦ |
well, then it is either compressed or encrypted data, or a binary protocol. Without any information about the protocol (or products) used, it's hard to give any good advice. Can you post the capture somewhere (google docs, dropbox, cloudshark.org, etc. - beware the privacy issues!). Regards answered 05 Mar '13, 23:46  Kurt Knochner ♦ I can send you a screenshot of a capture on WS by email if you want. Thank you for your answer, I really appreciate your help. (06 Mar '13, 01:28) arius57 I have also forgotten to tell you that the two devices communicating are: a sun station SPARC5 and a VME147 board. Those product are very old, so I don't think the data a crypted on a high level. But, that's my point of view which could be wrong, I'm not familiar with this type of communication and products... (06 Mar '13, 01:35) arius57
go ahead. You'll find my email address in my profile.
You lucky guy. You are for sure one of the last men on earth who own a SPARC 5 ;-)) And it still works ... (06 Mar '13, 01:48) Kurt Knochner ♦ 1 BTW: according to the services file, port 1126 is this:
Is your communication somehow related to HP VMM Agent (whatever that might be)? (06 Mar '13, 02:02) Kurt Knochner ♦ Yeah this SPARC5 is a survivor!;p By the way, I sent you an email in the address I found on your website. (06 Mar '13, 03:06) arius57 1 I've got the image. BTW: Can you upload the image here? There is nothing in the screenshot that might compromise your data/security. To me it looks neither encrypted nor compressed. It's rather some form of "binary" protocol. However, without knowledge about the protocol used, its hard to understand what's going on. What kind of traffic are you monitoring (some form of status update)? What is the client (hardware/software) and what is the server? (06 Mar '13, 04:03) Kurt Knochner ♦ I cannot upload the image there because my karma is under 60. Sorry. I'm monitoring an update of an instrument set up operation (voltage in this case). I set a mass parameter on the SPARC5 (corresponding to a voltage) and the data is send to the VME board through the network. Then, the VME board command an instrument to the voltage I have entered on the SPARC. It seems that the client is the software on the SPARC and the server is hardware. (no quite sure though) (06 Mar '13, 06:40) arius57
may I upload it?
OK, so the data in the TCP connection could be voltage values (encoded in some - yet unknown - format). (06 Mar '13, 08:28) Kurt Knochner ♦ No problem, you can upload it. Thank you as I can't do it myself ;p (06 Mar '13, 08:43) arius57 I can't upload it either, as there is currently an error message, coming from ask.wireshark.org. (06 Mar '13, 08:52) Kurt Knochner ♦ Ah, that's weird... (06 Mar '13, 09:04) arius57 showing 5 of 11 show 6 more comments |
What is the protocol you were monitoring? HTTP, HTTPS, anything else? If you can't see a protocol in Wireshark, what is the TCP destination port and what is your expectation about that protocol (what do you think it should be)?
I was monitoring a TCP protocol and Wireshark was successfully able to catch and analyze the TCP header of every package. The TCP destination port was number 1126.
On those package, I'm expecting to monitor what kind of command are sent by one device to the other. However, the data on the package described on Wireshark cannot be read in ASCII format for example. I have no idea how I can read them.