Decoding [1:2200122:1] SURICATA AF-PACKET truncated packet

Any way to get some information from the blob of hex included in the Raw pkt data?

If you’re referring to the payload in an alert, e.g.,

  "payload": "R0VUIC9hL3RyYWNrL2pzaW5mby5hc3A/c3c9MTY4MCZzaD05NzcgSFRUUC8xLjENCkFjY2VwdDogKi8qDQpSZWZlcmVyOiBodHRwOi8vdmlldy5hdGRtdC5jb20vRFJOL2l2aWV3LzE1NTU3ODY2NS9kaXJlY3QvMDE/Y2xpY2s9DQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLXVzDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNClVzZXItQWdlbnQ6IE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMS4xLjQzMjI7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjQ1MDYuMjE1MjsgLk5FVCBDTFIgMy41LjMwNzI5OyBXaW5kb3dzIExpdmUgTWVzc2VuZ2VyIDE0LjAuODA4OS4wNzI2KQ0KSG9zdDogd3d3My5zbWFydGFkc2VydmVyLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQ29va2llOiBUZXN0SWZDb29raWVQPW9rOyBUZXN0SWZDb29raWU9b2s7IEFTUFNFU1NJT05JRFFRQkFDQlJBPU9JSE5EQkNDSENNSkhBSkFQRkRGUEtMQw0KDQo=",

You can decode this with base64 -d

$ echo  "R0VUIC9hL3RyYWNrL2pzaW5mby5hc3A/c3c9MTY4MCZzaD05NzcgSFRUUC8xLjENCkFjY2VwdDogKi8qDQpSZWZlcmVyOiBodHRwOi8vdmlldy5hdGRtdC5jb20vRFJOL2l2aWV3LzE1NTU3ODY2NS9kaXJlY3QvMDE/Y2xpY2s9DQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLXVzDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNClVzZXItQWdlbnQ6IE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMS4xLjQzMjI7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjQ1MDYuMjE1MjsgLk5FVCBDTFIgMy41LjMwNzI5OyBXaW5kb3dzIExpdmUgTWVzc2VuZ2VyIDE0LjAuODA4OS4wNzI2KQ0KSG9zdDogd3d3My5zbWFydGFkc2VydmVyLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQ29va2llOiBUZXN0SWZDb29raWVQPW9rOyBUZXN0SWZDb29raWU9b2s7IEFTUFNFU1NJT05JRFFRQkFDQlJBPU9JSE5EQkNDSENNSkhBSkFQRkRGUEtMQw0KDQo=" | base64 -d
GET /a/track/jsinfo.asp?sw=1680&sh=977 HTTP/1.1
Accept: */*
Referer: http://view.atdmt.com/DRN/iview/155578665/direct/01?click=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Windows Live Messenger 14.0.8089.0726)
Host: www3.smartadserver.com
Connection: Keep-Alive
Cookie: TestIfCookieP=ok; TestIfCookie=ok; ASPSESSIONIDQQBACBRA=OIHNDBCCHCMJHAJAPFDFPKLC
1 Like

In this case, there is no real payload..it’s just a small bit of hex bytes as packet is truncated. Hoping to glean a MAC at least or something I can look at.

What version of Suricata, and are you using AF_PACKET? Could be that AF_PACKET is truncating the packets. If on 7.0.10 though, you should also see this alert if that was the case:

SURICATA AF-PACKET truncated packet
1 Like

Aye 7.0.10, and yes, using af-packet :slight_smile: I’m not sure…that’s why I’m asking here…I see about 35 hex bytes in the alerts and was wondering if I could get any info from them.

Some tools make it easy to convert his payload to a PCAP to see what it is, like my EveBox. For me when I get these they are almost always Wireguard traffic. idstools also has an eve2pcap converter, but I can’t say that I’ve tried that in many years. Other options might be as Jeff, suggested, but maybe to hex and pick a part the header manually?

1 Like

Thank you much…just what I needed.

So the process is to take the base64 blob → convert to hexdump (hello cyberchef) → save to file, then import hexdump into wireshark. Thanks all!