The Conpot team recently introduced what we call the proxy module. Basically we forward the traffic from one service in Conpot to a service running on a real piece of hardware. This is a very successful technique when figuring out a unknown hardware or protocol. Next step then is to decode the messages logged in the proxy module. Most of this step is done by studying books of specifications, leaked manuals and offensive tools. This then gives us insight into the protocol, the commands sent and responses generated.
more here............http://honeynet.org/node/1179
more here............http://honeynet.org/node/1179