This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet payload extraction from Socket connections (TCP)

0

I have several packets that i was hoping to get the payload data from in a human readable format. I dont know if its even possible at this point but im hoping someone can help me to understand this.

This is one of the raw packets im working with:

4500003e1ca440004006985fc0a80264c0a80202c90b138811744dfafc3aa16a801820419aae00000101080ac430d02c000002eaac5083000104431251ae

I am trying to figure out the raw packet payload from this but all i can obtain are jumbled, incoherent ASCII representations. I dont know if its something i am simply doing wrong or if its even possible to do?

Would someone be able to help me either understand how to obtain the payload from this, or let me know why this wont work? The packet is sent from a Socket script over an open network, if that helps.

Thank you

asked 03 Dec '16, 13:22

m0nk37's gravatar image

m0nk37
6112
accept rate: 0%

One Answer:

0

So, using echo 45 ... | xxd -ps -r | od -Ax -tx1 -v | text2pcap -l 101 - some.pcap I was able to create a pcap from your data. Now, feeding it it to tshark shows:

Frame 1: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Raw packet data
Internet Protocol Version 4, Src: 192.168.2.100, Dst: 192.168.2.2
Transmission Control Protocol, Src Port: 51467 (51467), Dst Port: commplex-main (5000), Seq: 1, Ack: 1, Len: 10
IPA protocol ip.access, type: unknown 0x83

The TCP payload in question is:

ac 50 83 00 01 04 43 12 51 ae

This does not look human-readable text at all. With just one packet it is also hard to get more information out of it. When you have multiple packets and recognize a pattern, then that could suggest that some kind of message framing is involved. If it still looks like complete gibberish with high entropy, then it is possible encrypted.

answered 03 Dec '16, 14:06

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

I wasnt sure if i was doing anything wrong or not. It seems i am getting the same result that you are. Is there anything i can do in order to see if its possible to decrypt the payload? I have a pcap file also with numerous back and forth that i exported. Would that help to figure out if its possible or not?

(03 Dec '16, 14:13) m0nk37

The data does not look very random (the distribution is not uniform), I guess that there is some framing involved. Maybe there is a fixed header followed by the length, and "04" says that there are four bytes following (43 12 51 ae). However I am not guessing based on this little information. I suggest that you have a look at all the packets that are involved. You could for example use the Follow TCP Stream option and use the "Hex" mode to see packets aligned under each other.

And if you know what application it is, then it should also give you some hints about the possible protocol.

(03 Dec '16, 14:28) Lekensteyn