Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Re: Finding patterns in packet data?

by Anonymous Monk
on Aug 04, 2000 at 22:37 UTC ( [id://26250] : note . print w/replies, xml ) Need Help??

in reply to Finding patterns in packet data?

Ok. Maybe I'm not being clear enough about what I'm trying to do. Here's an example of what I've got:
1C 30 00 04 E9 C9 00 06 81 00 00 5C 2C 9F 3F 84 94 81 36 B9 00 00 00 00 00 00 00 00 61 64 6D 69 6E 00 00 00 00 00 00 00 00 00 00 00

This is the part of the UDP packet immediately after the UDP checksum with the trailing padding removed. This is, then, the meat of the packet. What I'm looking for is an unknown length value in this meat that is also in a large percentage of all the other meats. It won't be in all, because there will be a few challenge/response packet, etc.
Do I compare packet A to B and see what matches, then A to C, A to D, etc and see what I get? This seems to be very cumbersome.

Replies are listed 'Best First'.
RE: Re: Finding patterns in packet data?
by lhoward (Vicar) on Aug 04, 2000 at 22:44 UTC
    My answer (above) works as follows:
    For every length you want to consider For each packet for each substring of length N increment count of N's occurrence by 1 Look at all the data you've amassed about which substrings occur with what frequency and spit out some data.
    Unless you specify what your "length vs frequency" preference is you can not get a generic answer. If what you are looking for is "what are the largest, most common substrings that occur in more than %90 of the packets" then you can do it.