Automated protocol analysis

wireshark

[I)ruid] from BreakingPoint Labs has been doing quite a bit of protocol reverse engineering as part of his work. He put together a post covering some of the tools that have been useful for this task. Text-based protocols have a lot of human readable characters that can help you identify fields. Binary protocols don’t have this luxury though. He recommends the Protocol Informatics Project for tackling these situations. It applies bioinformatics algorithms to network traffic. You give it a packet dump of the protocol and it compares them to find similarities the same way genetic sequences are compared. It can be confused by protocols that waste a lot of space, but it’s still a very clever approach to reversing.

[photo: slashcrisis]

Logicport overview


As promised earlier, the Near Future Laboratory has published an overview of the Logicport Logic Analyzer. They’re using the Playstation 2 analysis as an example. The Logicport uses “interpreters” to define protocols. It has I2C/TWI, SPI, RS232, and CAN 2.0A/2.0B, but you can build your own interpreter based on these. You can specify bit order and the format you want the data in. Slave interpreters can be used for specific tasks: with the PS2 they were used to just show the fifth byte, which is the actual button press.

“Triggers” are used to signal specific activity. On the PS2, one was attached to the falling signal on the slave select line. This event means the master is about to start sending data.

The final area worth exploring is “measurements”. These can be frequency or arbitrary time intervals between events. The Logicport has multiple ground connections to eliminate noise from the signal and you’ll have to play with sample rate and logic level to get things running smooth. It’s nice to see how-tos written from the perspective of someone just getting started with the tool.