search

quiclog / pcap2qlog

A tool to convert .pcap and .pcapng files into qlog files
MIT License
26 stars 7 forks source link

error_description": "Error: ParserPCAP: no tls info known for the first QUIC initial, not supported! Are you sure the trace decrypted? #11

Open Adam-Kadi opened 2 years ago

Adam-Kadi commented 2 years ago

Hi,

For my thesis, I would like to use the tool you have developed "pcap2qlog" to analyze QUIC communications with qvis. However, I have a problem when I generate the final.qlog file with a pcap, the command tells me this in output:

    "qlog_version": "draft-01",
    "description": "",
    "traces": [
        {
            "error_description": "Error: ParserPCAP: no tls info known for the first QUIC initial, not supported! Are you sure the trace decrypted? : [object Object], [{\"quic.frame_type\":\"0\",\"quic.padding_length\":\"916\"},{\"quic.frame_type\":\"6\",\"quic.crypto.offset\":\"0\",\"quic.crypto.length\":\"285\",\"quic.crypto.crypto_data\":\"\",\"tls\":{\"tls.handshake\":{\"tls.handshake.type\":\"1\",\"tls.handshake.length\":\"281\",\"tls.handshake.version\":\"0x0303\",\"tls.handshake.random\":\"b8:89:47:df:59:ca:0c:fa:e5:0f:8e:94:31:f9:6c:84:a3:df:81:03:c8:44:e4:b7:69:46:18:dd:e7:65:35:b2\",\"tls.handshake.session_id_length\":\"0\",\"tls.handshake.cipher_suites_length\":\"38\",\"tls.handshake.ciphersuites\":{\"tls.handshake.ciphersuite\":[\"0xc02b\",\"0xc02f\",\"0xc02c\",\"0xc030\",\"0xcca9\",\"0xcca8\",\"0xc009\",\"0xc013\",\"0xc00a\",\"0xc014\",\"0x009c\",\"0x009d\",\"0x002f\",\"0x0035\",\"0xc012\",\"0x000a\",\"0x1301\",\"0x1302\",\"0x1303\"]},\"tls.handshake.comp_methods_length\":\"1\",\"tls.handshake.comp_methods\":{\"tls.handshake.comp_method\":\"0\"},\"tls.handshake.extensions_length\":\"202\",\"Extension: status_request (len=5)\":{\"tls.handshake.extension.type\":\"5\",\"tls.handshake.extension.len\":\"5\",\"tls.handshake.extensions_status_request_type\":\"1\",\"tls.handshake.extensions_status_request_responder_ids_len\":\"0\",\"tls.handshake.extensions_status_request_exts_len\":\"0\"},\"Extension: supported_groups (len=10)\":{\"tls.handshake.extension.type\":\"10\",\"tls.handshake.extension.len\":\"10\",\"tls.handshake.extensions_supported_groups_length\":\"8\",\"tls.handshake.extensions_supported_groups\":{\"tls.handshake.extensions_supported_group\":[\"0x001d\",\"0x0017\",\"0x0018\",\"0x0019\"]}},\"Extension: ec_point_formats (len=2)\":{\"tls.handshake.extension.type\":\"11\",\"tls.handshake.extension.len\":\"2\",\"tls.handshake.extensions_ec_point_formats_length\":\"1\",\"tls.handshake.extensions_ec_point_formats\":{\"tls.handshake.extensions_ec_point_format\":\"0\"}},\"Extension: signature_algorithms (len=26)\":{\"tls.handshake.extension.type\":\"13\",\"tls.handshake.extension.len\":\"26\",\"tls.handshake.sig_hash_alg_len\":\"24\",\"tls.handshake.sig_hash_algs\":{\"tls.handshake.sig_hash_alg\":[\"0x0804\",\"0x0403\",\"0x0807\",\"0x0805\",\"0x0806\",\"0x0401\",\"0x0501\",\"0x0601\",\"0x0503\",\"0x0603\",\"0x0201\",\"0x0203\"],\"tls.handshake.sig_hash_alg_tree\":[{\"tls.handshake.sig_hash_hash\":\"8\",\"tls.handshake.sig_hash_sig\":\"4\"},{\"tls.handshake.sig_hash_hash\":\"4\",\"tls.handshake.sig_hash_sig\":\"3\"},{\"tls.handshake.sig_hash_hash\":\"8\",\"tls.handshake.sig_hash_sig\":\"7\"},{\"tls.handshake.sig_hash_hash\":\"8\",\"tls.handshake.sig_hash_sig\":\"5\"},{\"tls.handshake.sig_hash_hash\":\"8\",\"tls.handshake.sig_hash_sig\":\"6\"},{\"tls.handshake.sig_hash_hash\":\"4\",\"tls.handshake.sig_hash_sig\":\"1\"},{\"tls.handshake.sig_hash_hash\":\"5\",\"tls.handshake.sig_hash_sig\":\"1\"},{\"tls.handshake.sig_hash_hash\":\"6\",\"tls.handshake.sig_hash_sig\":\"1\"},{\"tls.handshake.sig_hash_hash\":\"5\",\"tls.handshake.sig_hash_sig\":\"3\"},{\"tls.handshake.sig_hash_hash\":\"6\",\"tls.handshake.sig_hash_sig\":\"3\"},{\"tls.handshake.sig_hash_hash\":\"2\",\"tls.handshake.sig_hash_sig\":\"1\"},{\"tls.handshake.sig_hash_hash\":\"2\",\"tls.handshake.sig_hash_sig\":\"3\"}]}},\"Extension: renegotiation_info (len=1)\":{\"tls.handshake.extension.type\":\"65281\",\"tls.handshake.extension.len\":\"1\",\"Renegotiation Info extension\":{\"tls.handshake.extensions_reneg_info_len\":\"0\"}},\"Extension: application_layer_protocol_negotiation (len=5)\":{\"tls.handshake.extension.type\":\"16\",\"tls.handshake.extension.len\":\"5\",\"tls.handshake.extensions_alpn_len\":\"3\",\"tls.handshake.extensions_alpn_list\":{\"tls.handshake.extensions_alpn_str_len\":\"2\",\"tls.handshake.extensions_alpn_str\":\"h3\"}},\"Extension: signed_certificate_timestamp (len=0)\":{\"tls.handshake.extension.type\":\"18\",\"tls.handshake.extension.len\":\"0\"},\"Extension: supported_versions (len=3)\":{\"tls.handshake.extension.type\":\"43\",\"tls.handshake.extension.len\":\"3\",\"tls.handshake.extensions.supported_versions_len\":\"2\",\"tls.handshake.extensions.supported_version\":\"0x0304\"},\"Extension: key_share (len=38)\":{\"tls.handshake.extension.type\":\"51\",\"tls.handshake.extension.len\":\"38\",\"Key Share extension\":{\"tls.handshake.extensions_key_share_client_length\":\"36\",\"Key Share Entry: Group: x25519, Key Exchange length: 32\":{\"tls.handshake.extensions_key_share_group\":\"29\",\"tls.handshake.extensions_key_share_key_exchange_length\":\"32\",\"tls.handshake.extensions_key_share_key_exchange\":\"7f:ec:63:67:eb:3e:53:cc:b5:e3:74:63:0a:ee:66:d1:f2:f8:a4:7c:be:e1:30:04:8f:20:b2:9d:55:a2:e4:01\"}}},\"Extension: quic_transport_parameters (len=72)\":{\"tls.handshake.extension.type\":\"57\",\"tls.handshake.extension.len\":\"72\",\"Parameter: GREASE (len=14)\":{\"tls.quic.parameter.type\":\"678\",\"tls.quic.parameter.length\":\"14\",\"tls.quic.parameter.value\":\"36:3b:af:2d:b3:39:1e:19:c8:5f:dc:ea:f1:fc\"},\"Parameter: initial_max_stream_data_bidi_local (len=4) 524288\":{\"tls.quic.parameter.type\":\"5\",\"tls.quic.parameter.length\":\"4\",\"tls.quic.parameter.value\":\"80:08:00:00\",\"tls.quic.parameter.initial_max_stream_data_bidi_local\":\"524288\"},\"Parameter: initial_max_stream_data_bidi_remote (len=4) 524288\":{\"tls.quic.parameter.type\":\"6\",\"tls.quic.parameter.length\":\"4\",\"tls.quic.parameter.value\":\"80:08:00:00\",\"tls.quic.parameter.initial_max_stream_data_bidi_remote\":\"524288\"},\"Parameter: initial_max_stream_data_uni (len=4) 524288\":{\"tls.quic.parameter.type\":\"7\",\"tls.quic.parameter.length\":\"4\",\"tls.quic.parameter.value\":\"80:08:00:00\",\"tls.quic.parameter.initial_max_stream_data_uni\":\"524288\"},\"Parameter: initial_max_data (len=4) 786432\":{\"tls.quic.parameter.type\":\"4\",\"tls.quic.parameter.length\":\"4\",\"tls.quic.parameter.value\":\"80:0c:00:00\",\"tls.quic.parameter.initial_max_data\":\"786432\"},\"Parameter: initial_max_streams_bidi (len=2) 100\":{\"tls.quic.parameter.type\":\"8\",\"tls.quic.parameter.length\":\"2\",\"tls.quic.parameter.value\":\"40:64\",\"tls.quic.parameter.initial_max_streams_bidi\":\"100\"},\"Parameter: initial_max_streams_uni (len=2) 100\":{\"tls.quic.parameter.type\":\"9\",\"tls.quic.parameter.length\":\"2\",\"tls.quic.parameter.value\":\"40:64\",\"tls.quic.parameter.initial_max_streams_uni\":\"100\"},\"Parameter: max_idle_timeout (len=4) 30000 ms\":{\"tls.quic.parameter.type\":\"1\",\"tls.quic.parameter.length\":\"4\",\"tls.quic.parameter.value\":\"80:00:75:30\",\"tls.quic.parameter.max_idle_timeout\":\"30000\"},\"Parameter: max_udp_payload_size (len=2) 1452\":{\"tls.quic.parameter.type\":\"3\",\"tls.quic.parameter.length\":\"2\",\"tls.quic.parameter.value\":\"45:ac\",\"tls.quic.parameter.max_udp_payload_size\":\"1452\"},\"Parameter: GREASE (len=1) 26\":{\"tls.quic.parameter.type\":\"11\",\"tls.quic.parameter.length\":\"1\",\"tls.quic.parameter.value\":\"1a\",\"tls.quic.parameter.max_ack_delay\":\"26\"},\"Parameter: disable_active_migration (len=0)\":{\"tls.quic.parameter.type\":\"12\",\"tls.quic.parameter.length\":\"0\",\"tls.quic.parameter.value\":\"\"},\"Parameter: active_connection_id_limit (len=1) 4\":{\"tls.quic.parameter.type\":\"14\",\"tls.quic.parameter.length\":\"1\",\"tls.quic.parameter.value\":\"04\",\"tls.quic.parameter.active_connection_id_limit\":\"4\"},\"Parameter: initial_source_connection_id (len=0)\":{\"tls.quic.parameter.type\":\"15\",\"tls.quic.parameter.length\":\"0\",\"tls.quic.parameter.value\":\"\",\"tls.quic.parameter.initial_source_connection_id\":\"\"},\"Parameter: max_datagram_frame_size (len=1) 0\":{\"tls.quic.parameter.type\":\"32\",\"tls.quic.parameter.length\":\"1\",\"tls.quic.parameter.value\":\"00\",\"tls.quic.parameter.max_datagram_frame_size\":\"0\"}},\"tls.handshake.ja3_full\":\"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-16-18-43-51-57,29-23-24-25,0\",\"tls.handshake.ja3\":\"009edb0f6241f671c77b2a0abfa75707\"}}}]",
            "uri": "/home/akadi/Quic/Test2/cipher.pcapng"
        }
    ]
}

The command I ran on the terminal is this:

sudo node out/main.js --tshark=/bin/tshark --input=/home/akadi/Quic/Test2/cipher.pcapng --secrets=/home/akadi/Quic/Test2/ssl-key_242460824150148.log --outputpath=/home/akadi/Quic/Test2/final.qlog

In input, I put the decrypted QUIC session pcap on the Wireshark options with the TLS session key.

If anyone can help me, that would be very nice :)

Adam Kadi

rmarx commented 2 years ago

Hey @Adam-Kadi,

Looking at your issue and also this recent one https://github.com/quiclog/pcap2qlog/issues/10, my guess is that newer versions of tshark somehow broke something in their JSON output that pcap2qlog doesn't expect.

Ideally I'd update pcap2qlog to deal with the format changes; however I don't really have time for that right now.

A potential solution for you would be to use an older version of tshark. For the qvis built-in pcap2qlog I've been using this version: https://github.com/wireshark/wireshark/commit/e3d44136f0f0026c5e893fa249f458073f3b7328 (see also dockerfile at https://github.com/quiclog/qvis-server/blob/master/system/docker_setup/wireshark/dockerfile).

That's quite old though (2 years by now). It should in theory still support all QUIC features pcap2qlog does (nothing really changed to QUIC since then and pcap2qlog doesn't do HTTP/3 yet).

Alternatively, you could try to figure out what's going wrong with the new JSON output and fix the parsing here https://github.com/quiclog/pcap2qlog/blob/master/src/parsers/ParserPCAP.ts... that shouldn't be too complex, as I'd expect no real big changes (probably just a renamed/moved field). You can get the JSON output from tshark like this directly: https://github.com/quiclog/pcap2qlog/blob/master/src/flow/pcaptojson.ts#L29

I suspect this is the same problem as with #10 and #9.