tattoo: random thoughts on traffic analysis


  1. Identify discrete protocols - if protcol tunneling is going on, or if multiple protocols are using the the same port of even different ports, how do we go about identifying the specific protocols?
  2. Determine PDU structure - what are the headers and data? what are the field boundaries? Message fields generally have the following functions
    • identity - addresses, port numbers, call signs, etc.
    • sequencing - track the order of messages
    • type code - what kind of message it it? think Ethernet Type, IP protocol type, and much much more
  3. Determine communication relationships - unicast, multicast, client-server, p2p, you get the point...
  4. Determine if authentication is used - plaintext, shared key, some sort of key exchange
  5. Determine if encryption used and what type - I'm not a crypto guy, but stuff like shared key, are they using some bogus XOR algorithm, etc.


Some assuming we have a traffic dump, we can compare individual messages with messages that we know are are a different protocol (like-unlike) or compare messages we know are the same (like-unlike) based on a number of characteristics