tattoo: nodecode - binary stream analysis

Overview

nodecode does some packet size statistics (infact this where the code in nstruct came from) and more importantly compares like-sized messages, analyzing the variability in byte-position values. In other words, it basically compares how many different values there are for a given-byte position. For example, encrypted values should have a very high variability (entropy?) and address fields (assuming a client/server) will have values of 2. There are also some interesting things you can see by analyzing the shifts from lower to higher variability byte-positions or vice-versa. Anyway, look at the sample run if none of this makes sense.
Usage

usage: # nodecode.rb [file] [start] [stop] [depth] [minimum] [expression]
Bugs and Limitations

Sample Run


4774 packets captured
96 different sized packets
Largest packet was: 1160 bytes.
Smallest packet was: 54 bytes.
We will analyze the 16 most common packets (by size).

Packet size statistics:
-----------------------
541: 1  161: 1  978: 1  142: 1  445: 1  460: 1  464: 1  526: 1  198: 1  103: 1  112: 1  133: 1  466: 1  109: 1  463: 1  539: 1  1160: 1      138: 1  461: 1  127: 1  201: 1  467: 1  202: 1  481: 1  129: 1  524: 1  462: 1  154: 1  449: 1  110: 1  547: 1  525: 1  99: 1158: 2  120: 2  149: 2  187: 2  1078: 2 79: 2   140: 2  118: 2  104: 2  446: 2  139: 2  92: 2   108: 3  94: 3   93: 3   95: 3   91: 3135: 3  87: 3   124: 4  97: 4   119: 4  88: 4   81: 4   107: 4  84: 5   70: 5   77: 5   115: 5  71: 6   378: 6  82: 6   72: 7   76: 796: 7   64: 9   106: 10 83: 10  75: 10  66: 13  85: 14  80: 14  67: 15  86: 17  78: 17  63: 21  73: 21  69: 22  100: 22 74: 23  90: 24       61: 30  65: 30  68: 43  62: 93  117: 108        102: 186        132: 198        98: 212 116: 229        114: 776        54: 1164     60: 1282


The most common packet sizes were: 60 54 114 116 98 132 102 117 62 68 65 61 90 74 100 69 



[60 byte packets]

...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
.....................................................................................
[54 byte packets]

...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
....................................................................................................
[114 byte packets]

...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...............................................................................................................
[116 byte packets]

...................................................................................................................................
................................................................................................
[98 byte packets]

...................................................................................................................................
...............................................................................
[132 byte packets]

...................................................................................................................................
.................................................................
[102 byte packets]

...................................................................................................................................
.....................................................


Analyzing column variation
[0] 1 [1] 2 [2] 3 [3] 3 [4] 3 [5] 3 [6] 1 [7] 2 [8] 2 [9] 2 [10] 2 [11] 2 [12] 1 [13] 1 [14] 1 [15] 1 [16] 1 [17] 7 [18] 18 [19] 25
[20] 2 [21] 1 [22] 2 [23] 1 [24] 18 [25] 255 [26] 1 [27] 1 [28] 1 [29] 2 [30] 1 [31] 1 [32] 1 [33] 3 [34] 4 [35] 5 [36] 3 [37] 23 [
] 6 [39] 24 [40] 248 [41] 237 [42] 7 [43] 25 [44] 243 [45] 142 [46] 2 [47] 6 [48] 10 [49] 93 [50] 248 [51] 254 [52] 1 [53] 1 [54] 2
[55] 75 [56] 100 [57] 102 [58] 91 [59] 90 [60] 1 


Analyzing 132 byte-sized packets (198 of them)

Analyzing column variation
[0] 1 [1] 2 [2] 2 [3] 2 [4] 2 [5] 2 [6] 1 [7] 1 [8] 1 [9] 1 [10] 1 [11] 1 [12] 1 [13] 1 [14] 1 [15] 1 [16] 1 [17] 1 [18] 10 [19] 14
[20] 1 [21] 1 [22] 1 [23] 1 [24] 10 [25] 148 [26] 1 [27] 1 [28] 1 [29] 1 [30] 1 [31] 1 [32] 1 [33] 2 [34] 2 [35] 2 [36] 2 [37] 4 [3
 3 [39] 5 [40] 150 [41] 74 [42] 4 [43] 4 [44] 132 [45] 117 [46] 1 [47] 1 [48] 1 [49] 1 [50] 159 [51] 137 [52] 1 [53] 1 [54] 2 [55] 
[56] 2 [57] 2 [58] 2 [59] 3 [60] 2 [61] 2 [62] 2 [63] 2 [64] 2 [65] 2 [66] 142 [67] 5 [68] 2 [69] 2 [70] 3 [71] 3 [72] 2 [73] 2 [74
2 [75] 2 [76] 2 [77] 2 [78] 2 [79] 2 [80] 2 [81] 2 [82] 2 [83] 1 [84] 2 [85] 2 [86] 2 [87] 2 [88] 2 [89] 2 [90] 2 [91] 2 [92] 2 [93
2 [94] 2 [95] 2 [96] 2 [97] 2 [98] 2 [99] 2 [100] 2 [101] 2 [102] 2 [103] 2 [104] 2 [105] 2 [106] 2 [107] 2 [108] 2 [109] 2 [110] 2
111] 2 [112] 2 [113] 2 [114] 2 [115] 2 [116] 2 [117] 2 [118] 2 [119] 2 [120] 2 [121] 2 [122] 2 [123] 2 [124] 2 [125] 2 [126] 2 [127
2 [128] 2 [129] 2 [130] 2 [131] 2 [132] 1 


Analyzing 61 byte-sized packets (30 of them)

Analyzing column variation
[0] 1 [1] 1 [2] 1 [3] 1 [4] 1 [5] 1 [6] 1 [7] 1 [8] 1 [9] 1 [10] 1 [11] 1 [12] 1 [13] 1 [14] 1 [15] 1 [16] 1 [17] 1 [18] 6 [19] 29 
0] 1 [21] 1 [22] 1 [23] 1 [24] 5 [25] 29 [26] 1 [27] 1 [28] 1 [29] 1 [30] 1 [31] 1 [32] 1 [33] 1 [34] 1 [35] 1 [36] 1 [37] 6 [38] 1
39] 6 [40] 17 [41] 30 [42] 3 [43] 6 [44] 6 [45] 6 [46] 1 [47] 1 [48] 1 [49] 1 [50] 23 [51] 28 [52] 1 [53] 1 [54] 6 [55] 8 [56] 9 [5
 11 [58] 7 [59] 8 [60] 8 [61] 1