Extracting Information from Unknown Protocols On CampusNet

As information security has been increasingly concerned on our campus network, in many occasions, it´s highly useful to extract information from various network traces, including recognizing malware variants, detecting intrusion, and normalizing traffic. Traditionally, the extracting work often depends on the protocol specification. However, there are often no sufficient documents or time for parsing the protocol specified. We present Catcher, a system for semi-automatically extracting information from unknown protocols. The key novelty in our work is that we locate the information and pick it out directly. Catcher does not require knowledge of any protocol, it automatically parses packets given. In the afterward step, if the same type packets come up, it Mill recognize them and extract information out of them. In order to test the effectiveness of our tool, we use Catcher to extract information over Http and DNS (with no predefinitions of these protocols), as well as chat applications such as MSN, the result reveals that Catcher can extract information from unknown protocols effectively.