Tool for network traffic analysis of a custom protocol

Question

The protocol is very simple and is developed on top of TCP. I need to analyze a big libpcap dump file to calculate the average value and standard deviation of the conversation time and of the number of packets per conversation.

Using Wireshark it's simple to analyze the TCP conversations between the endpoints, but the summary includes all of the TCP packets (lots of SYNs, ACKs and FINs), and this messes up the data.

Is there another tool to do this kind of analysis? Is there a way to EASILY extend Wireshark's functionality?

This is more of a serverfault.com / superuser.com question, I think. — mjv, Nov 07 '09 at 23:43
@jldupont, thanks for the spelling correction, Firefox didn't pick it up. — boobsbr, Nov 08 '09 at 00:00

score 3 · Answer 1 · answered Oct 16 '12 at 08:10

3

You can check out the Argos custom protocol analyzer. It is a commercial tool and it has a powerful and easy to use XML protocol definition language. Additionally it can monitor Ethernet and IP traffic as Wireshark does and open Libcap files

answered Oct 16 '12 at 08:10

Balazs

31
2

score 0 · Answer 2 · answered Nov 08 '09 at 01:27

0

Not sure I understand exactly what you need, but if you're looking to analyze only the packets with application data in them you can ask Wireshark to display only those packets with the PSH ("push to application") flag set.

answered Nov 08 '09 at 01:27

Adam Liss

47,594
12
108
150

Setting the display filter to data.net > 0 doesn't solve the problem. I need to analyze the conversations, but there are multiple conversations happening simultaneously, as multiple clients talk to the server. – boobsbr Nov 08 '09 at 03:05
What exactly do you need to measure? Are you trying to separate the individual conversations? – Adam Liss Nov 08 '09 at 04:28

score 0 · Answer 3 · answered Nov 26 '09 at 03:37

What exactly this protocol contains? Is there any specific header for its own usage? Wireshark provides many complex filtering options that you can explore.

If you want to do it using program, you can try PCAP or PF_SOCK. You may need to write your own filtering criteria then.

score 0 · Answer 4 · answered Jan 18 '12 at 10:46

Is there another tool to do this kind of analysis? Is there a way to EASILY extend Wireshark's functionality?

You can try Scapy ( http://www.secdev.org/projects/scapy/ ), with Scapy it is very easy to add new protocols: http://www.secdev.org/projects/scapy/doc/build_dissect.html .

Scapy is not as Wireshark, but I think it will solve your problem.

Tool for network traffic analysis of a custom protocol

4 Answers4