Running HexLasso on Packet Payloads

Posted | Modified

Since HexLasso can also be run on small chunk of data to provide accurate results it can be used to analyze the characteristic of network packets.

In the experiment, 2593 TCP packets were captured using Wireshark with the filter of tcp.payload and !tls. The captured packets were exported and HexLasso was run on the TCP payload section of each packet.

The smallest packet has the size of 16 bytes, the largest one has the size of 1420 bytes.

The below table summarizes the result.

Analyzer Chart
AsciiByte PNG
ExtAsciiByte PNG
SpPredictedByte PNG
PredictedByte PNG
SpByteMulOf4 PNG
ByteMulOf4 PNG
SymmetricByteSeq PNG
SpSameByteSeq PNG
PredictedByteSeq PNG
SpIncByteSeq PNG
SpDecByteSeq PNG
SpSameByteDiffSeq PNG
IncByteSeq PNG
DecByteSeq PNG
SameByteDiffSeq PNG
SameByteSeq PNG
SameAsciiByteSeq PNG
SameDWordSeq PNG
X86Fragment PNG
ArmFragment PNG
SpAsciiString PNG
UnicodeString PNG
AsciiString PNG
AsciiStringOfDigits PNG
AsciiStringOfSpecial PNG
WordMatch PNG
DWordMatch PNG
QWordMatch PNG

The analyzer is the functionality that HexLasso used for analyzing the TCP payload.

The chart shows the result of the analysis. The Y axis tells how much data is covered in each packet by the analyzer. The Y axis represents percentage. The X axis lists all the packets.