Tracking down application signatures in packets can be crucial for network troubleshooting.
An application signature is a pattern within your packets from an application or task. You may be familiar with application signatures from the security world, where people research worms, viruses, malicious applications or network attacks. In this video, I use the network protocol analyzer Wireshark to focus on application baselining and the network troubleshooting aspect of application signatures, but the concept can be carried through to other disciplines.
Identifying application signatures becomes an important skill when you are troubleshooting what you believe is anomalous traffic.
To find an application signature using Wireshark, capture packets from your application and look either in the detail pane or in the bytes pane for a pattern. It’s critical that you pay attention to what you were doing when you captured those packets. For example logging in, printing, or querying from your application of choice.
If you’re lucky you will see a pattern; if you’re very lucky that pattern will be in clear text. And if you’re unlucky, that pattern might be in hex or binary, but you should always try to find out if there is a pattern within your application.
If your application is using well-known protocols such as HTTP or SQL, you will find that your protocol analyzer will decode the commands for you and will make life a lot easier. Even when this is the case, you should pay attention because your application data after the command may also contain an application signature.
A good example would be when using HTTP for your web application, but within the payload there may be a signature or pattern identifying the database, application call or task.