Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Need help reading TCP traffic

  1. Home
  2. Forum
  3. Hacking in general
  4. Need help reading TCP traffic

ghost's Avatar

ghost

0 0

I would like to know how to read the information held in the data portion of a TCP packet. I have tried to decode the hex bytes from wireshark using this url http://www.paulschou.com/tools/xlate/, to see if maybe the info was meant to be read as decimal instead of text, but that didn't pan out any seemingly useful information.

Are all data portions of TCP packets cryptic like the example below? Or does this show that some sort of encoding is being used?

I also tried (thinking that maybe the data is encrypted before transit) encoding some words that I know are used for the application such as "login", "password", "passw" and even characters such as "=" in all the major encryption methods like base64, md5, md4, SHA1, XOR etc. and then encoding the encrypted text in hex and searching through the wireshark traffic for these hex values (Obliviously this was after capturing a successful login with wireshark).

This is an example of what the hex to ascii looks like in wireshark

.@…?.. .g6…E. ._..@… iq….B. …..L.. ..P…P. ……>w …..h.. …Vvo_6 …..AP. '…P%@P .m}..L; .f..<… o….

I get the feeling that because the data is being passed to an application the text will not be readable, similar to trying to look at a picture in notepad and figure out what data is being passed..

So I am completely lost as to how to understand the data portion of these packets to see what parameters and such are being sent to this server and back to the application. Someone pointed me to an awesome tool to edit these packets in transit but its kinda hard to edit something you don't understand.

I would really appreciate any pointers on how to go about reading the information held in the data portion of these tcp packets.

Oh and you also have the option to use a java based web application if you cant install the executable for whatever reason. would it be easier to intercept the traffic coming from the java based application versus their executable version?