On Mon, May 21, 2007 at 03:49:17PM +0200, Andreas Weller wrote:
> A friend of mine got a new PC system at his shop. It's a Linux based
> client/server system. As it is undocumented black box stuff we used
> wireshark to decode its datastream :-)
:)
> But it also connect to port 1536 using some kind of encrypted or
> compressed protocol. Wireshark doesn't recognize the protocol.
>
> I think it might be RFC1950 compressed data (ZLIB).
>
> How do I force wireshark treating the port 1536 data as RFC1950
> compressed - may be it can be decoded this way...
There is no zlib dissector right now, but Wireshark is usually compiled
with zlib and it is used within the HTTP and VNC dissectors. Would you
mind sending the first response packet (the one that appears to have the
compressed data and without the password you x out) to the list (or me
privately if you prefer)? I would like to take a closer look at it. If
it is just zlib compressed data, a dissector could be written to
uncompress it and display the uncompressed data for you.
Steve