How to identify syslog protocol packet?
In a stream of hex data for each packet, I want to identify whether protocol is syslog protocol or not, so what value should I compare?
In a stream of hex data for each packet, I want to identify whether protocol is syslog protocol or not, so what value should I compare?
The Wireshark syslog dissector uses known ports - defaults to 514 for syslog over UDP.
rfc3164 and rfc5424 define the message format.
You could look at the PRI
field in the header but it's length can vary:
6.2.1. PRI The PRI part MUST have three, four, or five characters and will be bound with angle brackets as the first and last characters. The PRI part starts with a leading "<" ('less-than' character, %d60), followed by a number, which is followed by a ">" ('greater-than' character, %d62). The number contained within these angle brackets is known as the Priority value (PRIVAL) and represents both the Facility and Severity. The Priority value consists of one, two, or three decimal integers (ABNF DIGITS) using values of %d48 (for "0") through %d57 (for "9").
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2022-04-22 11:46:56 +0000
Seen: 566 times
Last updated: Apr 22 '22