Go Back   Computer Forums > General Computing > Programming
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 02-22-2014, 12:32 PM   #1
Beta Member
 
Join Date: Feb 2014
Location: scotland
Posts: 1
Default Help needed to decode please

Hi

I really need some help decoding the following:
E..4��@.@..��..��޷�H.��ݩ.*�'�P.��...... 2+�`�&�..
WhatsAppSnifferTCPDump E 4 H P 2
WhatsAppSnifferShowALL IP 173.192.222.183.443 > 192.168.1.4.59720: tcp 0
WhatsAppSnifferTCPDump IP 173 192 222 183 443 192 168 1 4 59720: tcp 0
WhatsAppSnifferShowALL E..(�j@.3.QA��޷�...��H*�'��ݩ.P....&..���.#t
WhatsAppSnifferTCPDump E ( j 3 QA H P t
WhatsAppSnifferShowALL IP 192.168.1.4.59720 > 173.192.222.183.443: tcp 10
WhatsAppSnifferTCPDump IP 192 168 1 4 59720 173 192 222 183 443: tcp 10
WhatsAppSnifferShowALL E..2��@.@..��..��޷�H.��ݩ.*�'�P.��y�.....���`.��
WhatsAppSnifferTCPDump E 2 H P y
WhatsAppSnifferShowALL IP 173.192.222.183.443 > 192.168.1.4.59720: tcp 10
WhatsAppSnifferTCPDump IP 173 192 222 183 443 192 168 1 4 59720: tcp 10
WhatsAppSnifferShowALL E..2�.@.3...��޷�...��H*�'��ݩ"P...#S......�I3&�'
WhatsAppSnifferTCPDump E 2 3 H P S I3
WhatsAppSnifferShowALL IP 192.168.1.4.59720 > 173.192.222.183.443: tcp 0
WhatsAppSnifferTCPDump IP 192 168 1 4 59720 173 192 222 183 443: tcp 0
WhatsAppSnifferShowALL E..(��@.@..��..��޷�H.��ݩ"*�'�P.���D..
WhatsAppSnifferTCPDump E ( H P D
WhatsAppSnifferShowALL IP 192.168.1.4.59720 > 173.192.222.183.443: tcp 0
WhatsAppSnifferTCPDump IP 192 168 1 4 59720 173 192 222 183 443: tcp 0
WhatsAppSnifferShowALL E..(��@.@..��..��޷�H.��ݩ"*�'�P.���C..
WhatsAppSnifferTCPDump E ( H P C
WhatsAppSnifferShowALL IP 173.192.222.183.443 > 192.168.1.4.59720: tcp 0
WhatsAppSnifferTCPDump IP 173 192 222 183 443 192 168 1 4 59720: tcp 0
WhatsAppSnifferShowALL E..(�?@.3..l��޷�...��H*�'��ݩ#P.......y�c.#_
WhatsAppSnifferTCPDump E ( ? 3 l H P y c
WhatsAppSnifferShowALL IP 173.192.222.183.443 > 192.168.1.4.59720: tcp 0
WhatsAppSnifferTCPDump IP 173 192 222 183 443 192 168 1 4 59720: tcp 0
WhatsAppSnifferShowALL E..(�B@.3..i��޷�...��H*�'��ݩ#P.......I. �#^
WhatsAppSnifferTCPDump E ( B 3 i H P I
WhatsAppSnifferShowALL IP 192.168.1.4.59720 > 173.192.222.183.443: tcp 0
WhatsAppSnifferTCPDump IP 192 168 1 4 59720 173 192 222 183 443: tcp 0
WhatsAppSnifferShowALL E..(..@.@.��..��޷�H.��ݩ#*�'�P.���B..
WhatsAppSnifferTCPDump E ( H P B
__________________

28smarty is offline   Reply With Quote
Old 02-23-2014, 01:39 PM   #2
In Runtime
 
Join Date: Feb 2013
Location: UK
Posts: 156
Default Re: Help needed to decode please

Hi,
Looking at your data (and the fact it's using words like 'sniffer' and 'tcpdump') suggests you've obtained this from performing a packet capture of some sort. Now, I'm guessing since you aren't sure what this is (hence the question to decode it) you didn't manually invoke this capture, but an app (presumably 'whatsapp') did this for you.

Performing a packet capture is known as 'sniffing' your interface. Essentially it just collects all the data, inbound and outbound, which passes through that interface - and applies an optional filter in the process.

One thing which will confuse you with the output you posted, is it has actually mixed two streams of information together. One textual (the 'ShowAll' lines) and one raw data (the 'TCPDump' lines). What you actually need to have is two separate files, the first (textual) will likely end in .txt (presuming this is on Windows) and the second (raw data) will end in .pcap - the standard file extension for the 'Packet CAPture' data format.

The text file you can view in wordpad/notepad, but for the raw data file you'll need to download a 'packet analyzer' which is not as hard to use as it sounds, essentially just visit https://www.wireshark.org/download.html and pick the installer for your platform.

Once you've installed this (and the associated 'winpcap' library which windows will ask you to install aswell if you don't already have it - so say yes to that) you'll be able to open the .pcap file and look at your network traffic.

At this point I should state, just in case you try, that you CANNOT copy and paste the 'TCPdump' lines out of the log you posted here into a file with a .pcap extension and have it magically work, the application (WhatsApp) should have created this for you, if it hasn't then I have no idea what it was trying to achieve because the reason those characters look so odd is that there are known as 'unprintables' - those which fall outside of the standard ASCII range.

For the benefit of anyone else reading this who is interested, you can always tell when you're dealing with packet capture data (if you don't have anything obvious to suggest it like references to TCPdump or plaintext logs of IP address information) is that near the beginning of each packet (the start of the Network Layer to be precise) you'll almost always see a capital 'E' - which is 0x45 in Hexadecimal. The first character denotes IP version 4 protocol is being used, and the 5 is a multiplier to compute the length of the packet header and should always be multiplied by 4 to get the actual length value - in this instance 20 bytes (4*5), note this 4 has nothing to do with the 4 in 0x45, just an agreed constant. Well over 99% of packets on the internet will have this 0x45 in them so 'E' acts as a good marker for identifying packet data without any prior knowledge.

Good luck decoding, let us know if there's anything else you need - I should also just say, before closing, that you'll probably want to read some of the documentation on the Wireshark page in order to understand what it's actually showing you since it can be very daunting to those who haven't done any packet analysis before.
__________________

_michaelm is offline   Reply With Quote
Old 02-25-2014, 12:53 PM   #3
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,003
Default Re: Help needed to decode please

it says I'm really really hot for you babe,


nah, just kidding.
now stop trying to spy on your girlfriends/wifes conversations!

your biggest problem is that the data is encrpyted.
that address:
173.192.222.183.443 > 192.168.1.4.59720:
192.168.1.4.59720 > 173.192.222.183.443

suggests that the device what is sending and reciening data (192.168.1.4) has a random high port, but connects to 173.192.222.183 (softlayer aka e8.whatsapp.net) on port 443 (HTTPS)



so first you need to capture the data, then figure out what encryption is used. and the reverse said encryption. and voila you'll have 8 messages to and from some people...
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 01:56 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0