Protocol Detector

Jose Ramon Palanco Jose Ramon Palanco Follow Sep 09, 2017 · 2 mins read
Protocol Detector
Share this

ProtocolDetector is am open source python library I developed for Dinoflux. This library aims to provide an easy-to-use mechanism to integrate protocol detection capabilities into your python applications.

  • Uses yara as engine for parsing packets
  • Supports network live capture
  • Supports pcap reading
  • Supports socks proxy to filter local address
  • It comes with CLI for working out of the box
  • JSON output for easy parsing



sudo pip install git+git://

Command Line

Analyze a pcap file:

ProtocolDetector -p example.pcap


Analyze iface (real-time):

ProtocolDetector -i eth0


Example output:

{'dport': 1604, 'src': '', 'dst': '', 'sport': 49181, 'protocols': [darkcomet]}



from ProtocolDetector.Engine import get\_rules, perform\_check
import dpkt

pcap_file = open(pcap_path)

options = { 'mode': 'default',
            'socks_proxy': False,
            'remove_local' : False,
            'pcap_path': pcap_path,
            'iface': None,
            'rules' : get_rules() }

for ts, buf in pcap:
        results = perform_check(buf, options )
        print results


Adding Protocols

Adding protocols is pretty easy, we only need to create a yara rule and place it at ProtocolDetector/rules/ directory and add it to the index.yar file. Let’s see a few examples of protocol rules:

rule ssl : protocols
    author = "Jose Ramon Palanco <>"
    description = "SSL"
    $content_type = /(\x13|\x14|\x15|\x16|\x17)/
    $version_tsl_1_2 = { 03 03 }
    $version_tsl_1_0 = { 03 01 }
    $version_tsl_3_0 = { 03 00 }

    $content_type at 0 and ($version_tsl_1_2 at 1 or $version_tsl_1_0 at 1 or $version_tsl_3_0 at 1)

In this example, we can see that at position 0 (the first byte of the payload) we will need to find the content-type, and it should be 13h, 14h, 15h, 16h or 17h. If we found that we will require to find a valid version. In this example, I cover TSL 1.0, TSL 1.2 and TSL 3.0.

rule njrat : protocols
    author = "Jose Ramon Palanco <>"
    description = "njRAT Protocol"
    $header = /\d{1,6}\x00/
    $sep = { 7C 27 7C 27 7C }
    $header at 0 and $sep

This example detects njRAT, a common Remote Administration Tool. In this case, we need to find at position 0, from 1 to 6 integers followed by a null byte and the separator which is 0x7C277C277C.


You can find more protocols implemented at my github repository

Happy hacking!!

Jose Ramon Palanco
Written by Jose Ramon Palanco Follow
Jose Ramón Palanco currently holds CEO/CTO positions at EpicBounties since June 2021. In the past he founded Dinoflux at 2014, a Threat Intelligence startup acquired by Telefonica, currently he works for 11paths since 2018. He worked also for Ericsson at R&D department and Optenet (Allot). He studied Telecommunications Engineering at the University of Alcala de Henares and Master of IT Governance at the University of Deusto. He has been a speaker at OWASP, ROOTEDCON, ROOTCON, MALCON, and FAQin... He has published several CVE and different open source tools for cybersecurity like nmap-scada, ProtocolDetector, escan, pma, EKanalyzer, SCADA IDS, ...