Finding Application Signatures with Wireshark

The value in protocol analysis is only as good as your ability to efficiently decipher all those crazy packets and we all know that it isn’t as easy as it sounds.

I constantly try to find a pattern or ‘application signature’ so I can track an application or transaction more efficiently. Learning these patterns is also helpful when you capture packets floating around and need to identify the application that generated them. I was onsite with a customer when we saw a flood of pings from a device flying by. The customer asked me why that computer would be pinging so much and I quickly figured out that this device had Whats Up

Gold running on it by looking at the ping signature. Upon further investigation the customer found out that this was a old network test pc that was used to test Whats up Gold and was forgotten all about.

Some patterns or signatures are obvious, such as a CDP packet containing the Cisco switch name and model number, but some are not that easy.

I worked on a problem where a card reader was intermittently not reading employees cars. The customer replaced the reader when they noticed the problem was persisting and spreading. I was able to figure out what the employee card number looked like in the packet, traced it through the network and proved where the problem was.

In this specific example, I focus on ping because many times when we capture packets we always see something pinging or getting pinged. It always helps when you can look at a ping packet and tell the customer which application or device is doing the pinging.

In this video I use a Fluke Networks AirCheck handheld wireless analyzer and pinged my laptop as I captured those packets. As you will find out it didn’t take much to dig into the ICMP payload and figure out the unique signature from this tool. Sorry I’m not going to give it away and you will have to watch the video to see it for yourself.

Hope this helps you with your protocol analysis and Wireshark skills.

Enjoy