Wireshark-users: [Wireshark-users] Decoding RFC1950 compressed data?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Andreas Weller <weller@xxxxxxxxxxxxxxxxx>
Date: Mon, 21 May 2007 15:49:17 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hi!
A friend of mine got a new PC system at his shop. It's a Linux based
client/server system. As it is undocumented black box stuff we used
wireshark to decode its datastream :-)
We learned that the clients connect to the server using PostgreSQL port
5432 - the password used was also no problem to sniff with wireshark...
So there's no problem for "3rd party products" connecting to the
server's database thanks to wireshark.

But it also connect to port 1536 using some kind of encrypted or
compressed protocol. Wireshark doesn't recognize the protocol.

I think it might be RFC1950 compressed data (ZLIB).

How do I force wireshark treating the port 1536 data as RFC1950
compressed - may be it can be decoded this way...


Wireshark version used is the one from the Ubuntu repository:
Version 0.99.4
Compiled with GTK+ 2.10.9, with GLib 2.12.9, with libpcap 0.9.5, with
libz 1.2.3, with libpcre 6.7, without UCD-SNMP or Net-SNMP, with ADNS,
without Lua, with GnuTLS 1.4.4, with Gcrypt 1.2.3, without Kerberos,
with PortAudio <= V18, without AirPcap.
Running on Linux 2.6.20-15-generic, with libpcap version 0.9.5.
Built using gcc 4.1.2 (Ubuntu 4.1.2-0ubuntu4).

Thanks!


Regards,
  Andreas Weller



The logged data look like this:
ASCII:

connect **********
CONNECT COMPRESSED OK 8
.....x.c`....=...W..@..b.....Z=....f@..@...@......"g...@l...h.|2.J+...L..,...L..-.4L..M..,t.t.5..RsR..S..#B...J3sJ......2......K...........L
- -.....,Lu....*..D.$k..V...x.c`....=...W..@..b..'.qE=....f@.-@..e..|.
.... ..bq
fA...X\..W.ZT.Zde.`hhi.g.g...)Q....0...x.c`...pi........T...O..%....@...D.1#..ad....r..
.....x.c`....=...W..@..b.....Q=....f@..........S.x-....Y..:{.:{.{........1x;...2..e@...
..9....O..X;3...s
f`..2M
-
-.....,L..9Aj.\]<].......X.;......x..O1..1.t...@xxxxx.J...n.1(Z..8@s............@.8.!.hn...dl.....v.:.Y..S..._....4.........EDn...D....;..1irE..U.e.h..@~p8...A.O..
.A;Fm.....g......)..:..;.........li....+...,1;..=......Z..c..V~..V..........{AX.x..5eW.\...r....\..18.

HEX:

00000000  63 6f 6e 6e 65 63 74 xx  xx xx xx xx xx xx xx xx connectx xxxxxxxx
00000010  xx xx xx xx xx                                   xxxxx.

      00000000  43 4f 4e 4e 45 43 54 20  43 4f 4d 50 52 45 53 53 CONNECT
 COMPRESS

      00000010  45 44 20 4f 4b 20 38 0a                          ED OK 8.
00000015  00 9c 00 00 00 78 9c 63  60 80 00 8d 06 3d 0e 9e .....x.c `....=..
00000025  00 57 c7 ff 40 00 15 62  00 f1 1f 01 b1 5a 3d 03 .W..@..b .....Z=.
00000035  83 0b 90 66 40 02 d7 40  f2 0c 98 40 b6 81 81 c1 ...f@..@ ...@....
00000045  96 15 22 67 0f c4 02 40  6c 03 c4 1c 68 ea 7c 32 .."g...@ l...h.|2
00000055  f3 4a 2b 14 8c f4 4c f4  8c 2c 19 8c f5 4c f5 0c .J+...L. .,...L..
00000065  2d 15 34 4c cd f5 4d cd  15 2c 74 8c 74 0c 35 15 -.4L..M. .,t.t.5.
00000075  8a 52 73 52 13 8b 53 15  8c 23 42 cc 14 92 4a 33 .RsR..S. .#B...J3
00000085  73 4a 14 f2 f3 14 12 8b  32 ab f2 f3 12 15 1c 4b sJ...... 2......K
00000095  d3 15 8c 8c 15 8c 0c 0c  cc b8 18 4c 0d 2d f5 8c ........ ...L.-..
000000A5  f5 8c f4 2c 4c 75 0c cc  0c f3 2a 18 00 44 9b 24 ...,Lu.. ..*..D.$
000000B5  6b 02                                            k.
000000B7  00 56 00 00 00 78 9c 63  60 80 00 8d 06 3d 0e 9e .V...x.c `....=..
000000C7  00 57 c7 ff 40 00 15 62  00 f1 27 00 71 45 3d 03 .W..@..b ..'.qE=.
000000D7  83 0b 90 66 40 02 2d 40  cc 08 65 c3 f4 7c 01 0a ...f@.-@ ..e..|..
000000E7  d8 00 e9 14 20 e6 00 62  71 20 66 41 d2 93 9d 58 .... ..b q fA...X
000000F7  5c 9c 9a 57 9c 5a 54 96  5a 64 65 e5 60 68 68 69 \..W.ZT. Zde.`hhi
00000107  a0 67 a8 67 c8 00 00 29  51 17 a8 02             .g.g...) Q...

      00000018  00 30 00 00 00 78 9c 63  60 80 80 84 70 69 0e 9e
.0...x.c `...pi..

      00000028  07 ff 1d fe 03 01 54 88  01 c4 4f 01 e2 25 f5 0c
......T. ..O..%..

      00000038  0c 2e 40 9a 01 09 44 00  31 23 14 7f 61 64 c0 00
..@...D. 1#..ad..

      00000048  00 cd 72 10 85

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGUaNcZAUSLfjKnkYRA3IhAKDp04MBH9gDCYQEfNPFFWwlUDrLpgCfat3+
LuPSbOSXyPLhzhEeDEhV104=
=lJQ2
-----END PGP SIGNATURE-----