Unknown or invalid cipher suite type fafa

[aygupt1822]

I got this error while I was running js3 on pcap file :-

Traceback (most recent call last):
  File "F:\Program Files\Python39\lib\site-packages\dpkt\ssl.py", line 301, in unpack
    self.ciphersuites = [
  File "F:\Program Files\Python39\lib\site-packages\dpkt\ssl.py", line 302, in <listcomp>
    ssl_ciphersuites.BY_CODE[code] for code in struct.unpack('!' + num_ciphersuites * 'H', ciphersuites)]
KeyError: 64250

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "F:\Program Files\Python39\Scripts\ja3-script.py", line 33, in <module>
    sys.exit(load_entry_point('pyja3==1.1.0', 'console_scripts', 'ja3')())
  File "F:\Program Files\Python39\lib\site-packages\ja3\ja3.py", line 245, in main
    output = process_pcap(capture, any_port=args.any_port)
  File "F:\Program Files\Python39\lib\site-packages\ja3\ja3.py", line 194, in process_pcap
    handshake = dpkt.ssl.TLSHandshake(record.data)
  File "F:\Program Files\Python39\lib\site-packages\dpkt\dpkt.py", line 87, in __init__
    self.unpack(args[0])
  File "F:\Program Files\Python39\lib\site-packages\dpkt\ssl.py", line 421, in unpack
    self.data = embedded_type[1](self.data)
  File "F:\Program Files\Python39\lib\site-packages\dpkt\dpkt.py", line 87, in __init__
    self.unpack(args[0])
  File "F:\Program Files\Python39\lib\site-packages\dpkt\ssl.py", line 304, in unpack
    raise SSL3Exception('Unknown or invalid cipher suite type %x' % int(e.args[0]))
dpkt.ssl.SSL3Exception: Unknown or invalid cipher suite type fafa

[philhagen]

It looks like something in dpkt caused this to start happening. I've downgraded dpkt to 1.9.3 and the problem seems to have been alleviated.

[aygupt1822]

I tried again by downgrading dpkt to 1.9.2 and it is working... @philhagen Thanks for the solution :))

[obormot]

Fixed in the latest dpkt 1.9.7