Help needed to decode please

[28smarty]

Hi

I really need some help decoding the following:
E..4��@.@..��..��޷�H.��ݩ.*�'�P.��...... 2+�`�&�..
WhatsAppSnifferTCPDump E 4 H P 2
WhatsAppSnifferShowALL IP 173.192.222.183.443 > 192.168.1.4.59720: tcp 0
WhatsAppSnifferTCPDump IP 173 192 222 183 443 192 168 1 4 59720: tcp 0
WhatsAppSnifferShowALL E..(�j@.3.QA��޷�...��H*�'��ݩ.P....&..���.#t
WhatsAppSnifferTCPDump E ( j 3 QA H P t
WhatsAppSnifferShowALL IP 192.168.1.4.59720 > 173.192.222.183.443: tcp 10
WhatsAppSnifferTCPDump IP 192 168 1 4 59720 173 192 222 183 443: tcp 10
WhatsAppSnifferShowALL E..2��@.@..��..��޷�H.��ݩ.*�'�P.��y�.....���`.��
WhatsAppSnifferTCPDump E 2 H P y
WhatsAppSnifferShowALL IP 173.192.222.183.443 > 192.168.1.4.59720: tcp 10
WhatsAppSnifferTCPDump IP 173 192 222 183 443 192 168 1 4 59720: tcp 10
WhatsAppSnifferShowALL E..2�.@.3...��޷�...��H*�'��ݩ"P...#S......�I3&�'
WhatsAppSnifferTCPDump E 2 3 H P S I3
WhatsAppSnifferShowALL IP 192.168.1.4.59720 > 173.192.222.183.443: tcp 0
WhatsAppSnifferTCPDump IP 192 168 1 4 59720 173 192 222 183 443: tcp 0
WhatsAppSnifferShowALL E..(��@.@..��..��޷�H.��ݩ"*�'�P.���D..
WhatsAppSnifferTCPDump E ( H P D
WhatsAppSnifferShowALL IP 192.168.1.4.59720 > 173.192.222.183.443: tcp 0
WhatsAppSnifferTCPDump IP 192 168 1 4 59720 173 192 222 183 443: tcp 0
WhatsAppSnifferShowALL E..(��@.@..��..��޷�H.��ݩ"*�'�P.���C..
WhatsAppSnifferTCPDump E ( H P C
WhatsAppSnifferShowALL IP 173.192.222.183.443 > 192.168.1.4.59720: tcp 0
WhatsAppSnifferTCPDump IP 173 192 222 183 443 192 168 1 4 59720: tcp 0
WhatsAppSnifferShowALL E..(�?@.3..l��޷�...��H*�'��ݩ#P.......y�c.#_
WhatsAppSnifferTCPDump E ( ? 3 l H P y c
WhatsAppSnifferShowALL IP 173.192.222.183.443 > 192.168.1.4.59720: tcp 0
WhatsAppSnifferTCPDump IP 173 192 222 183 443 192 168 1 4 59720: tcp 0
WhatsAppSnifferShowALL E..(�B@.3..i��޷�...��H*�'��ݩ#P.......I. �#^
WhatsAppSnifferTCPDump E ( B 3 i H P I
WhatsAppSnifferShowALL IP 192.168.1.4.59720 > 173.192.222.183.443: tcp 0
WhatsAppSnifferTCPDump IP 192 168 1 4 59720 173 192 222 183 443: tcp 0
WhatsAppSnifferShowALL E..(..@.@.��..��޷�H.��ݩ#*�'�P.���B..
WhatsAppSnifferTCPDump E ( H P B

 

[_michaelm]

Hi,
Looking at your data (and the fact it's using words like 'sniffer' and 'tcpdump') suggests you've obtained this from performing a packet capture of some sort. Now, I'm guessing since you aren't sure what this is (hence the question to decode it) you didn't manually invoke this capture, but an app (presumably 'whatsapp') did this for you.

Performing a packet capture is known as 'sniffing' your interface. Essentially it just collects all the data, inbound and outbound, which passes through that interface - and applies an optional filter in the process.

One thing which will confuse you with the output you posted, is it has actually mixed two streams of information together. One textual (the 'ShowAll' lines) and one raw data (the 'TCPDump' lines). What you actually need to have is two separate files, the first (textual) will likely end in .txt (presuming this is on Windows) and the second (raw data) will end in .pcap - the standard file extension for the 'Packet CAPture' data format.

The text file you can view in wordpad/notepad, but for the raw data file you'll need to download a 'packet analyzer' which is not as hard to use as it sounds, essentially just visit https://www.wireshark.org/download.html and pick the installer for your platform.

Once you've installed this (and the associated 'winpcap' library which windows will ask you to install aswell if you don't already have it - so say yes to that) you'll be able to open the .pcap file and look at your network traffic.

At this point I should state, just in case you try, that you CANNOT copy and paste the 'TCPdump' lines out of the log you posted here into a file with a .pcap extension and have it magically work, the application (WhatsApp) should have created this for you, if it hasn't then I have no idea what it was trying to achieve because the reason those characters look so odd is that there are known as 'unprintables' - those which fall outside of the standard ASCII range.

For the benefit of anyone else reading this who is interested, you can always tell when you're dealing with packet capture data (if you don't have anything obvious to suggest it like references to TCPdump or plaintext logs of IP address information) is that near the beginning of each packet (the start of the Network Layer to be precise) you'll almost always see a capital 'E' - which is 0x45 in Hexadecimal. The first character denotes IP version 4 protocol is being used, and the 5 is a multiplier to compute the length of the packet header and should always be multiplied by 4 to get the actual length value - in this instance 20 bytes (4*5), note this 4 has nothing to do with the 4 in 0x45, just an agreed constant. Well over 99% of packets on the internet will have this 0x45 in them so 'E' acts as a good marker for identifying packet data without any prior knowledge.

Good luck decoding, let us know if there's anything else you need - I should also just say, before closing, that you'll probably want to read some of the documentation on the Wireshark page in order to understand what it's actually showing you since it can be very daunting to those who haven't done any packet analysis before.

 

[root]

it says I'm really really hot for you babe,


nah, just kidding.
now stop trying to spy on your girlfriends/wifes conversations!

your biggest problem is that the data is encrpyted.
that address:
173.192.222.183.443 > 192.168.1.4.59720:
192.168.1.4.59720 > 173.192.222.183.443

suggests that the device what is sending and reciening data (192.168.1.4) has a random high port, but connects to 173.192.222.183 (softlayer aka e8.whatsapp.net) on port 443 (HTTPS)



so first you need to capture the data, then figure out what encryption is used. and the reverse said encryption. and voila you'll have 8 messages to and from some people...