How to identify syslog protocol packet?
In a stream of hex data for each packet, I want to identify whether protocol is syslog protocol or not, so what value should I compare?
add a comment
The Wireshark syslog dissector uses known ports - defaults to 514 for syslog over UDP.
rfc3164 and rfc5424 define the message format.
You could look at the PRI field in the header but it's length can vary:
6.2.1. PRI
The PRI part MUST have three, four, or five characters and will be
bound with angle brackets as the first and last characters. The PRI
part starts with a leading "<" ('less-than' character, %d60),
followed by a number, which is followed by a ">" ('greater-than'
character, %d62). The number contained within these angle brackets
is known as the Priority value (PRIVAL) and represents both the
Facility and Severity. The Priority value consists of one, two, or
three decimal integers (ABNF DIGITS) using values of %d48 (for "0")
through %d57 (for "9").
Asked: 2022-04-22 11:46:56 +0000
Seen: 783 times
Last updated: Apr 22 '22