• 01/14/2016
    7:30 AM
  • Rating: 
    1 vote
    Vote up!
    Vote down!

Using Wireshark To Identify Application Signatures

Tracking down application signatures in packets can be crucial for network troubleshooting.

An application signature is a pattern within your packets from an application or task. You may be familiar with application signatures from the security world, where people research worms, viruses, malicious applications or network attacks. In this video, I use the network protocol analyzer Wireshark to focus on application baselining and the network troubleshooting aspect of application signatures, but the concept can be carried through to other disciplines.

Identifying application signatures becomes an important skill when you are troubleshooting what you believe is anomalous traffic.



To find an application signature using Wireshark, capture packets from your application and look either in the detail pane or in the bytes pane for a pattern. It’s critical that you pay attention to what you were doing when you captured those packets. For example logging in, printing, or querying from your application of choice.

If you’re lucky you will see a pattern; if you’re very lucky that pattern will be in clear text. And if you’re unlucky, that pattern might be in hex or binary, but you should always try to find out if there is a pattern within your application.

If your application is using well-known protocols such as HTTP or SQL, you will find that your protocol analyzer will decode the commands for you and will make life a lot easier. Even when this is the case, you should pay attention because your application data after the command may also contain an application signature.

A good example would be when using HTTP for your web application, but within the payload there may be a signature or pattern identifying the database, application call or task.


application signatures

Thanks for this video Tony. I've always heard of this topic in the context of security, so it's interesting to hear about it the network troubleshooting context.

thanks Marcia

thanks Marcia

Re: thanks Marcia

Great video, I take that the same might be applicable to virtually any device for instance, the Nest Thermostat. Once the signature has been identified, it can used to pin-point network congestion events, added to a firewall exception list or studied to create a DIY IoT thermostat. I wonder if they are any other major use cases for the user.

Application Sign

I guess this one of the requirement techies are trying develop in firewall as well, wherein next-generation firewall can identify and control applications on any port, not just standard ports.

Re: Application Sign

Good point @aditshar. Interestingly, I read an article about the potential for "application signature bloat" in next-gen firewalls because of all the app signatures that come built-in combined with the ones organizations add for custom apps, etc.