Decoding [1:2200122:1] SURICATA AF-PACKET truncated packet

DigiAngel · May 1, 2025, 2:32pm

Any way to get some information from the blob of hex included in the Raw pkt data?

Jeff_Lucovsky · May 3, 2025, 1:14pm

If you’re referring to the payload in an alert, e.g.,

  "payload": "R0VUIC9hL3RyYWNrL2pzaW5mby5hc3A/c3c9MTY4MCZzaD05NzcgSFRUUC8xLjENCkFjY2VwdDogKi8qDQpSZWZlcmVyOiBodHRwOi8vdmlldy5hdGRtdC5jb20vRFJOL2l2aWV3LzE1NTU3ODY2NS9kaXJlY3QvMDE/Y2xpY2s9DQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLXVzDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNClVzZXItQWdlbnQ6IE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMS4xLjQzMjI7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjQ1MDYuMjE1MjsgLk5FVCBDTFIgMy41LjMwNzI5OyBXaW5kb3dzIExpdmUgTWVzc2VuZ2VyIDE0LjAuODA4OS4wNzI2KQ0KSG9zdDogd3d3My5zbWFydGFkc2VydmVyLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQ29va2llOiBUZXN0SWZDb29raWVQPW9rOyBUZXN0SWZDb29raWU9b2s7IEFTUFNFU1NJT05JRFFRQkFDQlJBPU9JSE5EQkNDSENNSkhBSkFQRkRGUEtMQw0KDQo=",

You can decode this with base64 -d

$ echo  "R0VUIC9hL3RyYWNrL2pzaW5mby5hc3A/c3c9MTY4MCZzaD05NzcgSFRUUC8xLjENCkFjY2VwdDogKi8qDQpSZWZlcmVyOiBodHRwOi8vdmlldy5hdGRtdC5jb20vRFJOL2l2aWV3LzE1NTU3ODY2NS9kaXJlY3QvMDE/Y2xpY2s9DQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLXVzDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNClVzZXItQWdlbnQ6IE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMS4xLjQzMjI7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjQ1MDYuMjE1MjsgLk5FVCBDTFIgMy41LjMwNzI5OyBXaW5kb3dzIExpdmUgTWVzc2VuZ2VyIDE0LjAuODA4OS4wNzI2KQ0KSG9zdDogd3d3My5zbWFydGFkc2VydmVyLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQ29va2llOiBUZXN0SWZDb29raWVQPW9rOyBUZXN0SWZDb29raWU9b2s7IEFTUFNFU1NJT05JRFFRQkFDQlJBPU9JSE5EQkNDSENNSkhBSkFQRkRGUEtMQw0KDQo=" | base64 -d
GET /a/track/jsinfo.asp?sw=1680&sh=977 HTTP/1.1
Accept: */*
Referer: http://view.atdmt.com/DRN/iview/155578665/direct/01?click=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Windows Live Messenger 14.0.8089.0726)
Host: www3.smartadserver.com
Connection: Keep-Alive
Cookie: TestIfCookieP=ok; TestIfCookie=ok; ASPSESSIONIDQQBACBRA=OIHNDBCCHCMJHAJAPFDFPKLC

Topic		Replies	Views
Decode.pkts counted all the received pkts? Help	8	696	August 20, 2020
What are the measurements `capture.kernel_packets` and `decoder.pkts` in the log file `stats.log` mean? Help	3	768	April 21, 2021
Some log events have empty payload and payload_printable Help	1	1264	July 27, 2021
Require some example for from_base64 keyword Rules rules	5	70	October 28, 2024
Generic Protocol Command Decode Help	13	14887	March 13, 2021

Decoding [1:2200122:1] SURICATA AF-PACKET truncated packet

Related topics