Giter VIP home page Giter VIP logo

Comments (2)

tintinweb avatar tintinweb commented on June 8, 2024

Hi @krisk0,

thanks for the report and sorry for the late reply.

In order to make auto-dissection work scapy has a concept of conditionally binding layers together. By default scapy-ssl_tls registers to bind its tls layers to UDP/TCP port 443,4433 for auto-dissection [1].
(https://github.com/tintinweb/scapy-ssl_tls/blob/master/scapy_ssl_tls/ssl_tls.py#L1551). Since your tls traffic is on port 3128 (http-prx) - which is not a well-known explicit tls port - scapy does not attempt to dissect the packets as tls. However, you can easily force scapy to try to dissect your packets as tls by manually binding the ssl/tls layer to tcp.dport=3128

bind_layers(TCP, SSL, dport=3128)
pcap = rdpcap('583.pcap')
>>> pcap[0]
<Ether  dst=00:1d:45:38:d8:bf src=78:24:af:3e:54:2d type=IPv4 |<IP  version=4L ihl=5L tos=0x0 len=569 id=944 flags=DF frag=0L ttl=64 proto=tcp chksum=0xa6a1 src=192.168.5.21 dst=192.168.8.8 options=[] |<TCP  sport=58528 dport=squid seq=3029790043 ack=3734663421 dataofs=8L reserved=0L flags=PA window=229 chksum=0x460f urgptr=0 options=[('NOP', None), ('NOP', None), ('Timestamp', (1306571, 90169951))] |<SSL  records=[<TLSRecord  content_type=handshake version=TLS_1_0 length=0x200 |<TLSHandshake  type=client_hello length=0x1fc |<TLSClientHello  version=TLS_1_2 gmt_unix_time=4161341682 random_bytes="\n)\x9d\x7f:N\xc2\x1aq\xdc/\x89Q\x038\xddf\xd7\x92\xd7'\xf3<\xcdB\x96\r\xa7" session_id_length=0x0 session_id='' cipher_suites_length=0x1e cipher_suites=['ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'ECDHE_RSA_WITH_AES_128_CBC_SHA', 'ECDHE_RSA_WITH_AES_256_CBC_SHA', 'DHE_RSA_WITH_AES_128_CBC_SHA', 'DHE_RSA_WITH_AES_256_CBC_SHA', 'RSA_WITH_AES_128_CBC_SHA', 'RSA_WITH_AES_256_CBC_SHA', 'RSA_WITH_3DES_EDE_CBC_SHA'] compression_methods_length=0x1 compression_methods=['NULL'] extensions_length=0x1b5 extensions=[<TLSExtension  type=padding length=0xef |<Raw  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>, <TLSExtension  type=server_name length=0xe |<TLSExtServerNameIndication  length=0xc server_names=[<TLSServerName  type=host length=0x9 data='yandex.ru' |>] |>>, <TLSExtension  type=extended_master_secret length=0x0 |>, <TLSExtension  type=renegotiation_info length=0x1 |<TLSExtRenegotiationInfo  length=0x0 |>>, <TLSExtension  type=supported_groups length=0x14 |<TLSExtEllipticCurves  length=0x12 elliptic_curves=['ecdh_x25519', 'secp256r1', 'secp384r1', 'secp521r1', 'ffdhe2048', 'ffdhe3072', 'ffdhe4096', 'ffdhe6144', 'ffdhe8192'] |>>, <TLSExtension  type=ec_point_formats length=0x2 |<TLSExtECPointsFormat  length=0x1 ec_point_formats=['uncompressed'] |>>, <TLSExtension  type=SessionTicket_TLS length=0x0 |>, <TLSExtension  type=application_layer_protocol_negotiation length=0x17 |<TLSExtALPN  length=0x15 protocol_name_list=[<TLSALPNProtocol  length=0x2 data='h2' |>, <TLSALPNProtocol  length=0x8 data='spdy/3.1' |>, <TLSALPNProtocol  length=0x8 data='http/1.1' |>] |>>, <TLSExtension  type=status_request length=0x5 |<Raw  load='\x01\x00\x00\x00\x00' |>>, <TLSExtension  type=0x28 length=0x26 |<Raw  load='\x00$\x00\x1d\x00 \x86\xd4G>\x04g@\xf3\x8f\xfdiv(\x91j\xedI\x08\x03\xc8\xd3\x0f\x8b\xf4\xd7kM\x07\xa7Jea' |>>, <TLSExtension  type=0x2b length=0x9 |<Raw  load='\x08\x7f\x12\x03\x03\x03\x02\x03\x01' |>>, <TLSExtension  type=signature_algorithms length=0x20 |<TLSExtSignatureAndHashAlgorithm  length=0x1e algs=[<TLSSignatureHashAlgorithm  hash_alg=sha256 sig_alg=ecdsa |>, <TLSSignatureHashAlgorithm  hash_alg=sha384 sig_alg=ecdsa |>, <TLSSignatureHashAlgorithm  hash_alg=sha512 sig_alg=ecdsa |>, <TLSSignatureHashAlgorithm  hash_alg=sha1 sig_alg=ecdsa |>, <TLSSignatureHashAlgorithm  hash_alg=8 sig_alg=4 |>, <TLSSignatureHashAlgorithm  hash_alg=8 sig_alg=5 |>, <TLSSignatureHashAlgorithm  hash_alg=8 sig_alg=6 |>, <TLSSignatureHashAlgorithm  hash_alg=sha256 sig_alg=rsa |>, <TLSSignatureHashAlgorithm  hash_alg=sha384 sig_alg=rsa |>, <TLSSignatureHashAlgorithm  hash_alg=sha512 sig_alg=rsa |>, <TLSSignatureHashAlgorithm  hash_alg=sha1 sig_alg=rsa |>, <TLSSignatureHashAlgorithm  hash_alg=sha256 sig_alg=dsa |>, <TLSSignatureHashAlgorithm  hash_alg=sha384 sig_alg=dsa |>, <TLSSignatureHashAlgorithm  hash_alg=sha512 sig_alg=dsa |>, <TLSSignatureHashAlgorithm  hash_alg=sha1 sig_alg=dsa |>] |>>, <TLSExtension  type=0x2d length=0x2 |<Raw  load='\x01\x01' |>>] |>>>] |>>>>
>>>

from scapy-ssl_tls.

tintinweb avatar tintinweb commented on June 8, 2024

closing issue as there's nothing for us to fix. adding 3128 (typically plaintext prx or tunneled/upgraded tls sessions) might create conflicts with other layers and potentially have performance drawbacks.

from scapy-ssl_tls.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.