Closed dfirbuddy closed 7 years ago
Hi Jurriaan, i found a workaround to decode the pcap file. Perhaps it would be an option to use tshark for decoding ssl with cuckoo as an alternative as long as the bug in httpreplay/tlslite-ng isn't resolved. I posted 3 scripts as an example. Use ssl_decode_http.sh as a poc. Format is variable.
Regards Willy
@dfirbuddy I've just fixed the issue and pushed out a new version (0.1.18
), naturally I'll be updating the version numbers in the Cuckoo branches as well. Although your idea is nice, the tshark
stuff, I'm not sure if it'd be suitable here ;-) Because then we'd have to run tshark
and parse its text output etc.
Closing this issue as fixed. Thanks for your feedback!
Hi Jurriaan, tsharks offers to create a csv file (incl. field headers if you wish). You only need to define the fields you are interested in. The other (more interesting way) would be to use the new xml output format. Now you can use bs4 and lxml and xpath to parse the infos. If you let me know the fields you are interested in I will create a prototype for you. The only disadvantage I see is that tshark is not available on all platforms. Regards Willy
Well, I mean, from a httpreplay
point of view we want all the fields. That is, on a tcp
, http
, or https
level based on the type of stream. You're more than welcome to play around with tshark
to see how far you can push it, but keep in mind that the current approach of httpreplay
is working just fine and as such me merging it is not that likely. Especially since currently httpreplay
works on "all" operating systems (Linux, Mac OS X, Windows). Well, Mac OS X isn't unit tested right now, but Linux and Windows are.
Hi Jurriaan, i found a strange error decoding some sessions. I added the pcap. The error "AttributeError: 'str' object has no attribute 'name'" that you see if running without debugging is not correct. Inside the debugger you get a assert because it is not a block cipher (see attachment) I just connected to https://www.heise.de. The error occurs inside tlslite-ng. There seems to be the same error with version 0.7-alpha2.
tlsmaster.txt
dump.zip