Ask Your Question
0

wireshark not decoding tcp syslog message properly

asked 2023-07-17 13:55:50 +0000

smartsaranya gravatar image

As per RFC6587 one of our server sending TCP syslog message to syslog server, but wireshark not decoding properly.

   TCP-DATA = *SYSLOG-FRAME

   SYSLOG-FRAME = MSG-LEN SP SYSLOG-MSG   ; Octet-counting
                                          ; method

Example: following is the tcp data, "95 <30>1 2018-08-01T11:12:29.276656-06:00 hilldale systemd 1 - - Started System Logging Service."

wireshark showing as "Syslog message: (unknown):"

edit retag flag offensive close merge delete

Comments

Can you share a capture file of this?

Chuckc gravatar imageChuckc ( 2023-07-17 15:57:28 +0000 )edit
Chuckc gravatar imageChuckc ( 2023-07-17 16:12:13 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2023-07-17 19:41:43 +0000

André gravatar image

The function dissect_syslog in packet-syslog.c shows that RFC 6587 is not yet supported.
It does not expect a syslog message to start with a length and treats the first number as a facility code.

Please report this as an enhancement request on the Wireshark issues list.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-07-17 13:55:50 +0000

Seen: 434 times

Last updated: Jul 17 '23