Ask Your Question

How to identify syslog protocol packet?

asked 2022-04-22 11:46:56 +0000

sjain gravatar image

In a stream of hex data for each packet, I want to identify whether protocol is syslog protocol or not, so what value should I compare?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2022-04-22 13:17:49 +0000

Chuckc gravatar image

The Wireshark syslog dissector uses known ports - defaults to 514 for syslog over UDP.

rfc3164 and rfc5424 define the message format.
You could look at the PRI field in the header but it's length can vary:

6.2.1.  PRI

   The PRI part MUST have three, four, or five characters and will be
   bound with angle brackets as the first and last characters.  The PRI
   part starts with a leading "<" ('less-than' character, %d60),
   followed by a number, which is followed by a ">" ('greater-than'
   character, %d62).  The number contained within these angle brackets
   is known as the Priority value (PRIVAL) and represents both the
   Facility and Severity.  The Priority value consists of one, two, or
   three decimal integers (ABNF DIGITS) using values of %d48 (for "0")
   through %d57 (for "9").
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2022-04-22 11:46:56 +0000

Seen: 93 times

Last updated: Apr 22