Payload Analyzer

The mechanism analyzes L4 payload from the dump and extracts traffic signatures. Payload Analyzer accepts traffic dumps in PCAP or PCAPNG formats as input.

It is necessary to specify the parameters for building a decision tree:

• Decisions — the maximum nesting of the branch. Determines the search depth in the process of building a decision tree.

• Decision type — is an algorithm for building a decision tree.

  • First suitable decision — search for the first suitable solution;
  • All possible decisions — search for all possible solutions within the specified variability and maximum nesting level;
  • Decision of minimum length — traversal along the minimum length branches regardless of the solution completeness.

• Variability — data variability within the offset to build a branch. The maximum number of child branches of the decision tree.

• Bytes in packet — The number of first payload bytes to be analyzed. The limit on the number of first bytes allows you to create shortened signatures, for example, to apply the flex filter in JunOS. Reduces analysis time.

• Generate payload filter expressions — adds tcpdump or tshark filters to the report.

• Show hints — adds auxiliary sections to the report.

The report can be generated as a text file or as an interactive HTML page if the Interactive checkbox is set. The content of the report does not depend on the presentation form, but the interactive version has some advantages and is more convenient to use. The interactive report can be exported to an HTML page or JSON for later use outside of the PSG. Each section can be collapsed.

If no signature is extracted with the default settings, it can be difficult for clients to interpret hints and adjust search parameters. In this case, you should try Multipurpose Analyzer as the most comprehensive one.