Hi,

Often http is used as the main transport protocol with protobuf inside POST content.

Is there a way to have the protobuf plugin only try to decode the POST content and ignore http headers?

Thanks,
Scott

I have attached a sample tcpdump file. Note the normal http traffic with protobuf post content.

*attached tcpdump

one more try, filesize too big

Hi Scott,

Okay we have a new build (1.8.0.1423) that can decode POST content. You can get it from our downloads page.

1. Install the new build ( if you are upgrading, cleanup your old configuration folder %APPDATA%\Unleash Networks\Unsniff)

2. Start Unsniff and import or sniff the packets off the wire. You should see something like [img/] this in the PDU sheet.



3. Unsniff will pull out all POST body and responses into PDUs. Note that PDUs are an Unsniff features that allow you to monitor entire messages which can span multiple packets.

The packets are just shown as DATA because the default protocol attached to the POST application/octet-stream type is called "DATA". "DATA" just means the entire payload is treated as a opaque blob.


4. To go further, we need to attach your PROTO file which describes the blob to the application/octet-stream type.

5. Go to Plugins -> Configure, scroll down to HTTP and enter the following GUID in the space for Protocol for application/octet-stream. (See image 2)



This GUID represents the specific PROTO we want to use to interpret the BLOB in the post body.

5. Now copy your PROTO file to the %APPDATA%\Unleash Networks\Unsniff\XMLPlugs directory.

6. Edit the generic_protobuf.xml file found in the Program Files\Unleash Networks\Unsniff\XMLPlugs directory. Enter the name of the PROTO file and the name of the ROOT FIELD.

7. Upon restart, Unsniff will try to use the proto file to decode the blobs found in the post. With my dummy proto file I get something like image3.

8. Open the View > Log Window to look for errors.

Image : POST payloads shown as blobs



Image : Enter the Protocol GUID to tell Unsniff to use your PROTO file to decode the POST payloads




Image : Put your PROTO file in APPDATAUnleash..UnsniffXMLPlugs and modify the generic_protobuf.xml in the program filesunleas..unsni..xmlplugs directory to point to this. This is what I get with a dummy file. If you use your proto file you ought to get a fully decoded message.

Awesome! Thanks Vivek.

- I got it working. I did have to copy my edited generic_protobuf.xml from program files/.. into application data as well as copying over the .proto file.

- The rootfield is different between the request and response. Is there any way to have Unsniff use a different root field for the response vs the request? Perhaps using two different protocols?

Thanks again,
Scott