any journels on application layer communication ?

[knowlesy]

Im trying to build a packet sniffing program for my dissertation, which will be able to identify what applications are used on a network or a specific machine (via filtering) by tcp and udp packets and analaysing the payload inside of them...


however i need references and previous research into how applications send information across the application layer in tcp or udp packets ? so i can pick up on their "signature" and record those specific packets and implement the types of porgrams in use

or if anyone can identify what specific information in a tcp packet to look for via hex ? and location of data in the datagram ?


sorry mods if its in the wrong section but i thought since im developing it would be best suited here....

 

[knowlesy]

Well considering the number applications using the payload is infinite and each packet could be from any part of the communication it's a tall order.

If it's acting completely transparent then you would also have the issue that not all traffic may be routed past your application due to load balancing etc.

I would first work on reassembling the session and then work on payload.

Usually sniffers understand specific messaging. Ethereal would be an example of what you're doing:

agreed im looking to more specific everday applications (in which an average user would use eg p2p, email, browser, im, voip) that a user would enable eg. p2p software such as utorrent or outlook each have there own specific application protocol.

But still how would i identify the application eg like in wireshark the use of the user agent, in http packets to identify the browser ? again i know this as Ive discovered it myself in wireshark.... however i need the references to back this up.

also regardless of transparency I have insinuated the uses of hubs or (iirc its called) port duplicating, in which to filter as well as the use of promisquous mode

 

[knowlesy]

thanks NickK youve given me a better prespective of how to go about it