goals

1. Identify discrete protocols - if protcol tunneling is going on, or if multiple protocols are using the the same port of even different ports, how do we go about identifying the specific protocols?
2. Determine PDU structure - what are the headers and data? what are the field boundaries? Message fields generally have the following functions
   • identity - addresses, port numbers, call signs, etc.
   • sequencing - track the order of messages
   • type code - what kind of message it it? think Ethernet Type, IP protocol type, and much much more
3. Determine communication relationships - unicast, multicast, client-server, p2p, you get the point...
4. Determine if authentication is used - plaintext, shared key, some sort of key exchange
5. Determine if encryption used and what type - I'm not a crypto guy, but stuff like shared key, are they using some bogus XOR algorithm, etc.

methods

Some assuming we have a traffic dump, we can compare individual messages with messages that we know are are a different protocol (like-unlike) or compare messages we know are the same (like-unlike) based on a number of characteristics

• message size - normally, we can quickly group messages together that are the same size, are there fixed length messages/fields or variable length
• byte-position frequency/variability - if you "line up" the messages and count on the number of different values that are possible for that byte (basically a column). If you do this on encrypted data you'll see that the counts are very high. You can also use this technique to distinguish between different fields and/or protocol layers.
• motifs - you see the same string of bytes appears over and over again, perhaps in the same position of the message, perhaps in different positions
• incrementation - fields such as IP IDs and TCP sequence numbers and some stuff in IPSEC increment upwards. This is pretty easy to spot.