This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am very new to this so forgive me if my question has a simply answer I am missing. I am trying to decipher a TCP Stream. I see some of the information is readable. However, there is a large section that needs to be decoded. Below is the beginning of what I would like to decode.

<detection>
    <keyId>1</keyId>
    <data>!CDATA[T8PdjhIeYyFvWdI+lB5Gkh0A1uBtCNt6avFGFV3nzMiU1kZQgVOzF50dAfk8YZOHFEVbptTA/d8QWo7+wJ4vX934tZGjg+bz5wwfGyLMrS9Uq78PnH5EPgtUZwBulHWHL2StofzO94IpMe8A1r7/fMPQ94p3rgPvTvRCCkRifmMV03I1kwn8c7

Can someone point me in the direction of what I need to do to successfully decode this section of the stream?

asked 18 Nov '11, 23:06

criag0's gravatar image

criag0
1111
accept rate: 0%

edited 23 Nov '11, 14:57

helloworld's gravatar image

helloworld
3.1k42041


What you refer to is a protocol, for that Wireshark has 'dissectors' which decode and present the protocol elements. Now the problem is that the dissectors are to be written according to the specification of the protocol. So you must have that. Then you have to choose what language/API to program against. Most powerful are dissectors in native C, other options are Lua or Python.

permanent link

answered 19 Nov '11, 01:12

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

"What [you'd] like to decode" looks like XML. Wireshark has an XML dissector, but to dissect it as anything much more than raw text would require the DTD for the XML in question. See the Wireshark Wiki page on XML for more information.

You'd also need to have Wireshark somehow invoke the XML dissector for the data in question. Is this just raw XML over a TCP connection, or is it, for example, XML transported over HTTP?

permanent link

answered 19 Nov '11, 13:04

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you for the information I will read over what you have provided.

The information i believe is raw XML. I am trying to see what was transmitted back to a company when installing a program on my computer.

Thank you in advance.

(23 Nov '11, 10:04) criag0

What you see inside the CDATA section is a base64encoded representation of (potentially) binary information. You can try base64 decoding it, but if the result is not readable as text then the program which is "checking in" has its own proprietary format for sending whatever data it has collected about your machine, etc.

permanent link

answered 22 Mar '12, 12:56

inetdog's gravatar image

inetdog
16717
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×100
×82

question asked: 18 Nov '11, 23:06

question was seen: 15,516 times

last updated: 22 Mar '12, 12:56

p​o​w​e​r​e​d by O​S​Q​A