Tool for network traffic analysis of a custom protocol

Question

The protocol is very simple and is developed on top of TCP. I need to analyze a big libpcap dump file to calculate the average value and standard deviation of the conversation time and of the number of packets per conversation.

Using Wireshark it's simple to analyze the TCP conversations between the endpoints, but the summary includes all of the TCP packets (lots of SYNs, ACKs and FINs), and this messes up the data.

Is there another tool to do this kind of analysis? Is there a way to EASILY extend Wireshark's functionality?

Answer 1

Not sure I understand exactly what you need, but if you're looking to analyze only the packets with application data in them you can ask Wireshark to display only those packets with the PSH ("push to application") flag set.

Answer 2

What exactly this protocol contains? Is there any specific header for its own usage? Wireshark provides many complex filtering options that you can explore.

If you want to do it using program, you can try PCAP or PF_SOCK. You may need to write your own filtering criteria then.

Answer 3

Is there another tool to do this kind of analysis? Is there a way to EASILY extend Wireshark's functionality?

You can try Scapy ( http://www.secdev.org/projects/scapy/ ), with Scapy it is very easy to add new protocols: http://www.secdev.org/projects/scapy/doc/build_dissect.html .

Scapy is not as Wireshark, but I think it will solve your problem.

Answer 4

You can check out the Argos custom protocol analyzer. It is a commercial tool and it has a powerful and easy to use XML protocol definition language. Additionally it can monitor Ethernet and IP traffic as Wireshark does and open Libcap files