0

I'm working with Scapy to parse a set of .pcap files. I would like to understand what kind of payload those packets are carrying. If I have for example a pcap file with a lot of UDP packets which payloads has the same starting bytes I don't know what kind of encoding was used, and the first values keep repeating in other packets. Is there any program or python library that could allow me to figure out or try to guess what kind of encoding was used (if for example is an RTP payload or MPEG one and so on)?

UPDATE I was able to use nDPI on those pcap files and it gave me satisfying results for all the flows except for a set of them that it was not able to recognize. I'm going to share with you the first part of the hex representation of the data:

f1d00404d1002d7c484830320000020080073804610d00007b09040000000000010f000000000000000000000000000000000000000000000000000121e002a22e537fcccb815afafce2361b

The first part f1d004 does not change between previous and successive packets. I have already tried to decode them with different protocols using wireshark's feature "Decode as". I have tried with RTP,RTCP,RTSP,JSON,MPEG. If can be useful, this is the capture related to a camera, that's why I tried the previous protocols.

fd1004
  • 1
  • 1
  • I'm currently dealing with the exact same problem. So far, the idea has been to load the traffic into Wireshark, have it decode the payload as different protocols and see if things seem to line up. – Carcigenicate Jun 13 '21 at 14:03
  • In the end I have found out a program called nDPI, maybe is useful also for you. Still it was not enough for a set of flows inside a pcap that I captured. – fd1004 Jun 13 '21 at 17:33
  • Thanks. Unfortunately though, nDPI wasn't able to lend any insight to me either. – Carcigenicate Jun 13 '21 at 22:43
  • Have you tried to search on the web for the UDP dest port? – fgagnaire Jun 14 '21 at 02:39
  • Yes of course, but they are unassigned. I can just suppose that they are transmitting videostream traffico because I know the traffic I'm generating myself, but I don't know the protocol used – fd1004 Jun 14 '21 at 08:44
  • Which program is generating this packed? If you can not decode the payload, go to the source. – sinkmanu Jun 15 '21 at 08:41
  • The source is a wansview camera controlled by a mobile phone that receives those packets – fd1004 Jun 15 '21 at 11:21
  • A small google search seems to indicate that the protocol would be ONVIF (a standard for IP cameras). That should be on top of RTP (like VoIP) – Cukic0d Jun 16 '21 at 07:48

0 Answers0