How to identify syslog protocol packet?
In a stream of hex data for each packet, I want to identify whether protocol is syslog protocol or not, so what value should I compare?
1 Answer
- Sort by
oldest newest most voted
0
The Wireshark syslog dissector uses known ports - defaults to 514 for syslog over UDP.
rfc3164 and rfc5424 define the message format.
You could look at the PRI field in the header but it's length can vary:
6.2.1. PRI
The PRI part MUST have three, four, or five characters and will be
bound with angle brackets as the first and last characters. The PRI
part starts with a leading "<" ('less-than' character, %d60),
followed by a number, which is followed by a ">" ('greater-than'
character, %d62). The number contained within these angle brackets
is known as the Priority value (PRIVAL) and represents both the
Facility and Severity. The Priority value consists of one, two, or
three decimal integers (ABNF DIGITS) using values of %d48 (for "0")
through %d57 (for "9").
Your Answer
Please start posting anonymously - your entry will be published after you log in or create a new account.
This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.
Comments