{"id":939,"date":"2026-07-06T15:37:13","date_gmt":"2026-07-06T15:37:13","guid":{"rendered":"https:\/\/reversea.me\/?p=939"},"modified":"2026-07-06T15:37:13","modified_gmt":"2026-07-06T15:37:13","slug":"inferring-network-protocols-from-traffic-with-marissa","status":"publish","type":"post","link":"https:\/\/reversea.me\/index.php\/inferring-network-protocols-from-traffic-with-marissa\/","title":{"rendered":"Inferring Network Protocols from Traffic with MARISSA"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 6<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<p class=\"wp-block-paragraph\"><strong>TL;DR<\/strong> Many network protocols are undocumented or proprietary, which makes traffic analysis, auditing, and malware investigation harder when there is no specification to work from. Protocol reverse engineering (PRE) tries to recover message formats directly from network traces, but existing static tools tend to rely on fixed assumptions, struggle with binary or mixed-format protocols, and do not scale well to large captures. In our paper at the <a href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RuizUR-EuroSP-26.pdf\">11th IEEE European Symposium on Security and Privacy (EuroS&amp;P 2026)<\/a>, <em>&#8220;MARISSA: Efficient Inference of Network Protocols using Similarity Digest Clustering and Multiple Sequence Algorithms&#8221;<\/em>, we present <a href=\"https:\/\/github.com\/reverseame\/MARISSA\"><code>MARISSA<\/code><\/a>, an automated tool that infers message formats from PCAP files. <code>MARISSA<\/code> combines similarity digest clustering with multiple sequence alignment to identify field boundaries, works on both textual and binary protocols, and reduces runtime by factors of 2x to 15x compared to the tools we tested. Interested? Keep reading this briefing or <a href=\"https:\/\/github.com\/reverseame\/MARISSA\">grab the code on GitHub<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Why Protocol Reverse Engineering Is Hard<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Understanding the structure of a network protocol is useful for traffic inspection, intrusion detection, and forensic analysis. Widely used protocols such as HTTP, DNS, and TLS are documented and standardized, but many others are not: custom schemes in embedded systems, legacy enterprise software, and malware command-and-control channels often lack public specifications. In those cases, an analyst has to recover the message format from captured traffic.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">PRE approaches fall into two groups. <em>Dynamic<\/em> methods instrument the program binary to observe how it builds and parses messages, which gives good results but needs access to a running system and the ability to modify its execution environment. That requirement limits their use in IoT or malware scenarios where the endpoint is not available. <em>Static<\/em> methods work only from captured traffic, so they are non-intrusive and broadly applicable, but they have their own limits: many rely on recognizable delimiters or keywords, assume prior knowledge of the format, or become slow as the trace grows.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We designed <code>MARISSA<\/code> to address two goals at the same time: infer message structure from raw, unknown traffic, and scale to large and diverse captures within reasonable runtimes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Solution: Similarity Digests Plus Sequence Alignment<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><code>MARISSA<\/code> is a static, protocol-agnostic tool. It does not assume delimiters or format regularity, which lets it handle both textual and binary protocols. It builds on two ideas.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The first is to cluster messages using <em>similarity digest algorithms<\/em> (SDAs) rather than full byte-by-byte comparison. SDAs produce compact fingerprints that reflect the structural similarity of byte sequences, which keeps cost down while preserving structural information. We evaluated <code>TLSH<\/code> and <code>ssdeep<\/code>, and adopted <code>ssdeep<\/code> as the default clustering backend because it gave the most consistent results on our datasets.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The second is to infer field boundaries with <em>multiple sequence alignment<\/em> (MSA), a technique from bioinformatics that aligns many sequences at once to reveal regions that stay fixed (static headers) and regions that vary (payloads). To reuse mature MSA libraries, <code>MARISSA<\/code> transcodes each protocol message from hexadecimal into a compatible character encoding (hex digits A-F are kept, digits 0-9 map to letters G-P), a reversible and loss-less step that preserves message length and byte alignment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Inside the Pipeline<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><code>MARISSA<\/code> takes a PCAP file as input and produces an inferred message format as output. The workflow has three phases.<br><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"926\" height=\"1024\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/fig1_pipeline-926x1024.png\" alt=\"\" class=\"wp-image-940\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/fig1_pipeline-926x1024.png 926w, https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/fig1_pipeline-271x300.png 271w, https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/fig1_pipeline-768x850.png 768w, https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/fig1_pipeline.png 1373w\" sizes=\"auto, (max-width: 926px) 100vw, 926px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 1: The MARISSA pipeline, detailing the pre-processing, processing, and post-processing phases.<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\"><strong>Pre-processing.<\/strong> Raw traffic is cleaned and normalized: message extraction, protocol filtering and header stripping (down to the protocol payload), deduplication of retransmitted packets, <em>prefix sanitization<\/em> to strip static &#8220;magic number&#8221; prefixes that would otherwise bias the digests, and <em>stream separation<\/em> by MAC address to keep different communication flows apart. The output is a set of clean, role-grouped message payloads.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Processing.<\/strong> For each stream, <code>MARISSA<\/code> computes pairwise similarity digest scores into a distance matrix, clusters the messages with <code>OPTICS<\/code> (a density-based algorithm that handles clusters of varying shape and outliers better than k-means), and aligns the messages in each cluster with MSA. We integrated several genomics MSA tools (<code>MAFFT<\/code>, <code>Clustal Omega<\/code>, <code>FAMSA<\/code>, and <code>MUSCLE<\/code>) and selected <code>MAFFT<\/code> as the default for its balance of accuracy and speed. A lightweight cluster-merging step then groups message variants that share the same type identifier, reducing over-segmentation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Post-processing.<\/strong> The aligned messages are analyzed to classify each field as <em>static<\/em> (fixed length and content), <em>dynamic<\/em> (fixed length, variable content, such as a sequence number or timestamp), or <em>variable<\/em> (variable in both length and content). The result is a structured description of each message type, exported as CSV, which can feed documentation, interoperability testing, fuzzing, or emulation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Findings<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We evaluated <code>MARISSA<\/code> on nine real-world protocols spanning textual and binary formats: DHCP, DNS, FTP, Modbus, ICMP, MQTT, NTP, S7comm, and SMB, with datasets of 100, 500, and 1000 messages. We measured clustering quality and field inference accuracy (precision, accuracy, recall, and F1) against ground truth from <code>tshark<\/code> dissectors, and compared <code>MARISSA<\/code> with four existing tools: <code>NEMETYL<\/code>, <code>NetPlier<\/code>, <code>BinaryInferno<\/code>, and <code>MDIplier<\/code>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Broader protocol coverage.<\/strong> <code>MARISSA<\/code> processed all nine protocols across all dataset sizes. In our runs, <code>NEMETYL<\/code> completed only 3 of the 9 protocols, and <code>NetPlier<\/code> and <code>MDIplier<\/code> did not handle FTP traffic.<\/li>\n\n\n\n<li><strong>Higher inference quality.<\/strong> Across most protocols and dataset sizes, <code>MARISSA<\/code> produced the best clustering and field inference results among the tools tested. Clustering stayed stable regardless of dataset size, while field inference improved with more messages, which reflects the extra structural redundancy in larger datasets.<\/li>\n\n\n\n<li><strong>Lower runtime.<\/strong> <code>MARISSA<\/code> reduced execution time by factors ranging from 2x to 15x compared to the other tools. We attribute this to the lightweight similarity digest comparisons and the use of optimized MSA libraries.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Case Study: Reverse Engineering ARPChat<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To show practical utility, we applied <code>MARISSA<\/code> to <code>ARPChat<\/code>, a custom chat application that communicates over the ARP protocol. Its non-standard transport and minimal structure make it a good test case for inferring an unknown format.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"641\" height=\"361\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/fig2_arpchat_format.png\" alt=\"\" class=\"wp-image-941\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/fig2_arpchat_format.png 641w, https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/fig2_arpchat_format-300x169.png 300w\" sizes=\"auto, (max-width: 641px) 100vw, 641px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 2: Message structure inferred from the ARPChat protocol. D(X) denotes a fixed-length dynamic field of X bytes, and V denotes a variable-length field.<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\"><code>MARISSA<\/code> recovered the message layout: a static 3-byte prefix (<code>uwu<\/code>) that separates <code>ARPChat<\/code> traffic from standard ARP, followed by a 1-byte type identifier (<code>00<\/code> chat message, <code>01<\/code> connection request, <code>02<\/code> presence update, <code>03<\/code> disconnect), and the corresponding dynamic and variable fields. Using only this inferred format, we replicated the application&#8217;s key features through custom scripts (sending messages, spoofing user presence, and joining chats) without access to the original client.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The case study also shows an honest limit. <code>MARISSA<\/code> identified three structural groups rather than four, because two byte positions that encode a sequence number and a message count were never updated due to a bug in <code>ARPChat<\/code>, so they looked static in every captured message. This is a reminder that inference quality depends on the quality of the captured traces.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Takeaways for Reverse Engineers<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>MARISSA<\/code> works without delimiters, keywords, or prior format knowledge, so it applies to binary and proprietary protocols where keyword-based tools tend to fail.<\/li>\n\n\n\n<li>Its output is a structured, byte-level field map per message type, ready to use as input for fuzzers, emulators, or interoperability testing.<\/li>\n\n\n\n<li>As a static tool, it operates on captured traffic and does not need access to a live system. It cannot analyze encrypted payloads (TLS, SSH, HTTPS), which stay opaque to any static approach.<\/li>\n\n\n\n<li>Trace quality matters. Mixed-protocol captures should be filtered to a single protocol first, and malformed or buggy applications can blur fields that would otherwise be distinct.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Ongoing Work<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We plan to extend <code>MARISSA<\/code> with semantic inference to label fields with domain-specific meanings (usernames, timestamps, commands), support for encrypted traffic through decryption modules or controlled instrumentation, better handling of mixed-traffic captures, and integration into broader workflows such as protocol fuzzing, automated test generation, and IDS rule derivation. To support reproducibility, we release the source code together with the containerization and evaluation scripts used in the paper.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Funding Acknowledgments<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This research was supported in part by grant PID2023-151467OA-I00 (CRAPER), funded by MICIU\/AEI\/10.13039\/501100011033 and by ERDF\/EU, by grant TED2021-131115A-I00 (MIMFA), funded by MICIU\/AEI\/10.13039\/501100011033 and by the European Union NextGenerationEU\/PRTR, by grant <em>Proyecto Estrat\u00e9gico Ciberseguridad EINA UNIZAR<\/em>, funded by the Spanish National Cybersecurity Institute (INCIBE) and the European Union NextGenerationEU\/PRTR, by grant <em>Programa de Proyectos Estrat\u00e9gicos de Grupos de Investigaci\u00f3n<\/em> (DisCo research group, ref. T21-23R), funded by the University, Industry and Innovation Department of the Aragonese Government.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"89\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1024x89.png\" alt=\"\" class=\"wp-image-844\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1024x89.png 1024w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-300x26.png 300w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-768x67.png 768w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1536x134.png 1536w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-2048x179.png 2048w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1440x126.png 1440w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"201\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/logos-1024x201.jpeg\" alt=\"\" class=\"wp-image-944\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/logos-1024x201.jpeg 1024w, https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/logos-300x59.jpeg 300w, https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/logos-768x151.jpeg 768w, https:\/\/reversea.me\/wp-content\/uploads\/2026\/07\/logos.jpeg 1200w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><em>And that&#8217;s all, folks! In the meantime, we encourage you to <a href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RuizUR-EuroSP-26.pdf\">read the full paper at EuroS&amp;P 2026<\/a>, <a href=\"https:\/\/github.com\/reverseame\/MARISSA\">explore and contribute to the tool on GitHub<\/a>, or <a href=\"mailto:reverseame@unizar.es\">reach out to us if you&#8217;re interested in collaborating on protocol reverse engineering, traffic analysis, or message format inference<\/a>. Thanks for reading, and stay secure!<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Declaration of Generative AI Technologies in the Writing Process<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">During the preparation of this post, the authors used Claude (Claude Opus 4.8 model) to improve readability and language. After using this tool, the authors reviewed and edited the content as necessary and take full responsibility for the content of this publication.<\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 6<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>TL;DR Many network protocols are undocumented or proprietary, which makes traffic analysis, auditing, and malware investigation harder when there is no specification to work from. Protocol reverse engineering (PRE) tries to recover message formats directly from network traces, but existing static tools tend to rely on fixed assumptions, struggle with binary or mixed-format protocols, and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27,15],"tags":[77,74,61,75],"class_list":["post-939","post","type-post","status-publish","format-standard","hentry","category-reverse-engineering","category-tools","tag-clustering","tag-protocol-reverse-engineering","tag-similarity-hashing","tag-traffic-analysis","no-featured-image"],"_links":{"self":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/939","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/comments?post=939"}],"version-history":[{"count":1,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/939\/revisions"}],"predecessor-version":[{"id":946,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/939\/revisions\/946"}],"wp:attachment":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/media?parent=939"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/categories?post=939"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/tags?post=939"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}