I have several packets that i was hoping to get the payload data from in a human readable format. I dont know if its even possible at this point but im hoping someone can help me to understand this. This is one of the raw packets im working with: 4500003e1ca440004006985fc0a80264c0a80202c90b138811744dfafc3aa16a801820419aae00000101080ac430d02c000002eaac5083000104431251ae I am trying to figure out the raw packet payload from this but all i can obtain are jumbled, incoherent ASCII representations. I dont know if its something i am simply doing wrong or if its even possible to do? Would someone be able to help me either understand how to obtain the payload from this, or let me know why this wont work? The packet is sent from a Socket script over an open network, if that helps. Thank you asked 03 Dec '16, 13:22 m0nk37 |
One Answer:
So, using
The TCP payload in question is:
This does not look human-readable text at all. With just one packet it is also hard to get more information out of it. When you have multiple packets and recognize a pattern, then that could suggest that some kind of message framing is involved. If it still looks like complete gibberish with high entropy, then it is possible encrypted. answered 03 Dec '16, 14:06 Lekensteyn |
I wasnt sure if i was doing anything wrong or not. It seems i am getting the same result that you are. Is there anything i can do in order to see if its possible to decrypt the payload? I have a pcap file also with numerous back and forth that i exported. Would that help to figure out if its possible or not?
The data does not look very random (the distribution is not uniform), I guess that there is some framing involved. Maybe there is a fixed header followed by the length, and "04" says that there are four bytes following (43 12 51 ae). However I am not guessing based on this little information. I suggest that you have a look at all the packets that are involved. You could for example use the Follow TCP Stream option and use the "Hex" mode to see packets aligned under each other.
And if you know what application it is, then it should also give you some hints about the possible protocol.