This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unable to decode packets payload

0

Hi,

I'm using 2 RaspberryPi's to communicate with each other over IP using netcat (Unencrypted and direct over IP messaging through port 555) using R.Pi#1: sudo nc -l 555 R.Pi#2: sudo nc 192.168.43.107 555. I checked, it works and it does not encrypt the packet's payload, I can see the entire conversation on WireShark.

Then, im sniffing that conversation with a 3rd R.Pi running Kali-Linux using wireshark,but now I see the conversation under LLC protocl instead of TCP like I saw before, and I belive the data payload is now encrypted.I tried decrypt it through HEX to string converter or Binary to string converter, still its gibrish, How can i make it human-readable?

Here are some pictures:

alt text

Packet 148 Data: alt text

it's Payload is(Hex Stream): 2000000000277e5bf58848eb699738a8a50b1c8304f0963a64554e2b70881ab95bbb9353e66d81fc524d196ea014162b663b5b16dc

Packet 149: alt text

it's Payload is(Hex Stream): 0000000066a402fe5551f063251d00745c97f7e34379265f60b8c412cd2221397afd1d5a04a5a09cf02d3208d4f3f8264666c0621383099b2e8715339ddda609c32363d1234d14a4a8edf8e0155ee91d6d4c9647

Packet 158: alt text it's Payload is(Hex Stream): 000000008641e14b03305a4f6e72921b0bfb3e9dd3febd24d005a67cc209a204cb40a0fe68b35e27810e410cc6800fdd1078998c8062f1594ab6dc0f95d3722398f21065c101c4b9c29af74820e64a7b3c6ec9f328

Before the arpspoofing: SENDING:

alt text And RESPONSE:

alt text

Any ideas please?

asked 16 Dec '16, 06:02

eyal360's gravatar image

eyal360
6224
accept rate: 0%

Sigh. As ever, a capture file is much more useful than some screenshots.

Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc.?

Also can you explain your capture environment and where the captures were made, i.e. show the 3 RPI's, and the connections between them?

(16 Dec '16, 06:22) grahamb ♦

yes, this is the Drive link :each for Rx and Tx messages https://drive.google.com/file/d/0B4dE5ujOQI6RN2JlLTFQTkozdGc/view?usp=sharing https://drive.google.com/file/d/0B4dE5ujOQI6RSUd4X1RkU2tDcFU/view?usp=sharing

Im capturing over my WLAN, all the R.Pi's are connected to the same WPA wifi.

Thanks for the quick reply.

p.s: its only showing the LLC packets because the others are unrelated ARP or other managment protocol packets so i've unselected them.

(16 Dec '16, 06:45) eyal360