Payload Analyzer

Analyzes the L4 payload. It is necessary to specify the parameters for building a decision tree:

  • Decisions β€” the maximum nesting of the branch. Determines the search depth in the process of building a decision tree.

  • Decision type β€” is an algorithm for building a decision tree.

    • First suitable decision β€” search for the first suitable solution;
    • All possible decisions β€” search for all possible solutions within the specified variability and maximum nesting level;
    • Decision of minimum length β€” traversal along the minimum length branches regardless of the solution completeness.

  • Variability β€” data variability within the offset to build a branch. The maximum number of child branches of the decision tree.

  • Bytes in packet β€” The number of first payload bytes to be analyzed. The limit on the number of first bytes allows you to create shortened signatures, for example, to apply the flex filter in JunOS. Reduces analysis time.

  • Generate payload filter expressions β€” adds tcpdump or tshark filters to the report.

  • Show hints β€” adds auxiliary sections to the report.

Report

The report can be generated as a text file or as an interactive HTML page if the Interactive checkbox is set. The content of the report does not depend on the presentation form, but the interactive version has some advantages and is more convenient to use, so the report description is based on it. The interactive report can be exported to an HTML page or JSON for later use outside of the PSG. Each section can be collapsed.

The report contain sections:

  • Total;

    • Total packets β€” total packages in a PCAP file;
    • Filtered packets β€” number of packets excluded from processing by filters;
    • Processed packets β€” number of processed packets;
    • TCP β€” percentage of TCP packets in the dump;
    • UDP β€” percentage of UDP packets in the dump;
    • ICMP β€” percentage of ICMP packets in the dump.

  • Packets lenght stats;
    packets distribution by L4 payload length. An absolute value and the part of all processed packets in percent.

  • [TCP, UDP] [src, dst] ports stats;
    Packets distribution by ports. An absolute value, the part of all processed packets in percent and the part of packets total number. Displays up to 10 most used ports among the processed packets.

The following sections adds to the report if the Show hints checkbox is set:

  • Values and candidates to separate into branches;
    Shows L4 payload offsets with variance less than specified and present in 100% of processed packets. If no branching candidates are found with the given variance, but the number of values in all packages for some offset exceeds the given variance, then the minimum value for finding at least one branch is reported.

  • Other common values in processed payload;
    Shows L4 payload offsets which contain values that do not change much (in more than 90% of packets where such an offset is available, it uses the same byte). Displays the absolute number of packets and the percentage of the total packets for each offset. Offsets containing values that do not change much, but with a small number of packets (less than 90% of the total), are not displayed.

  • Possible related values in processed payload;
    Searches for L4 payload values that have the same number of repetitions, most likely they change synchronously. Displays the absolute number of packets and the percentage of total packets processed for each set of related values. Values that do not change and are very rare (less than 5% of the number of processed packets) are not taken into account.

  • Possible floating values in processed payload;
    Searches for L4 payload values that float within a small range of offsets (8) and are contained in all packets within that range. Values that do not change are ignored. If multiple identical values are found with overlapping offset ranges, they are merged.

  • Filters;
    Displays filters for tcpdump and tshark that match the regular expression obtained as an analysis result.

If no signature is extracted with the default settings, it can be difficult for clients to interpret hints and adjust search parameters. In this case, you should try Multipurpose Analyzer as the most comprehensive one.