THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

wireshark not decoding tcp syslog message properly

  • retag add tags

As per RFC6587 one of our server sending TCP syslog message to syslog server, but wireshark not decoding properly.

   TCP-DATA = *SYSLOG-FRAME

   SYSLOG-FRAME = MSG-LEN SP SYSLOG-MSG   ; Octet-counting
                                          ; method

Example: following is the tcp data, "95 <30>1 2018-08-01T11:12:29.276656-06:00 hilldale systemd 1 - - Started System Logging Service."

wireshark showing as "Syslog message: (unknown):"

smartsaranya's avatar
1
smartsaranya
asked 2023-07-17 13:55:50 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you share a capture file of this?

Chuckc's avatar Chuckc (2023-07-17 15:57:28 +0000) edit
more
  • delete

Also see: weberblog.net: Syslog via TCP

Chuckc's avatar Chuckc (2023-07-17 16:12:13 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

The function dissect_syslog in packet-syslog.c shows that RFC 6587 is not yet supported.
It does not expect a syslog message to start with a length and treats the first number as a facility code.

Please report this as an enhancement request on the Wireshark issues list.

André's avatar
176
André
answered 2023-07-17 19:41:43 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer