tintinweb
commented
7 years ago Hi @krisk0,
thanks for the report and sorry for the late reply.
In order to make auto-dissection work scapy has a concept of conditionally binding layers together. By default scapy-ssl_tls registers to bind its tls layers to UDP/TCP port 443,4433 for auto-dissection [1].
(https://github.com/tintinweb/scapy-ssl_tls/blob/master/scapy_ssl_tls/ssl_tls.py#L1551). Since your tls traffic is on port 3128 (http-prx) - which is not a well-known explicit tls port - scapy does not attempt to dissect the packets as tls. However, you can easily force scapy to try to dissect your packets as tls by manually binding the ssl/tls layer to tcp.dport=3128
bind_layers(TCP, SSL, dport=3128)
pcap = rdpcap('583.pcap')
>>> pcap[0]
<Ether dst=00:1d:45:38:d8:bf src=78:24:af:3e:54:2d type=IPv4 |<IP version=4L ihl=5L tos=0x0 len=569 id=944 flags=DF frag=0L ttl=64 proto=tcp chksum=0xa6a1 src=192.168.5.21 dst=192.168.8.8 options=[] |<TCP sport=58528 dport=squid seq=3029790043 ack=3734663421 dataofs=8L reserved=0L flags=PA window=229 chksum=0x460f urgptr=0 options=[('NOP', None), ('NOP', None), ('Timestamp', (1306571, 90169951))] |<SSL records=[<TLSRecord content_type=handshake version=TLS_1_0 length=0x200 |<TLSHandshake type=client_hello length=0x1fc |<TLSClientHello version=TLS_1_2 gmt_unix_time=4161341682 random_bytes="\n)\x9d\x7f:N\xc2\x1aq\xdc/\x89Q\x038\xddf\xd7\x92\xd7'\xf3<\xcdB\x96\r\xa7" session_id_length=0x0 session_id='' cipher_suites_length=0x1e cipher_suites=['ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'ECDHE_RSA_WITH_AES_128_CBC_SHA', 'ECDHE_RSA_WITH_AES_256_CBC_SHA', 'DHE_RSA_WITH_AES_128_CBC_SHA', 'DHE_RSA_WITH_AES_256_CBC_SHA', 'RSA_WITH_AES_128_CBC_SHA', 'RSA_WITH_AES_256_CBC_SHA', 'RSA_WITH_3DES_EDE_CBC_SHA'] compression_methods_length=0x1 compression_methods=['NULL'] extensions_length=0x1b5 extensions=[<TLSExtension type=padding length=0xef |<Raw load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>, <TLSExtension type=server_name length=0xe |<TLSExtServerNameIndication length=0xc server_names=[<TLSServerName type=host length=0x9 data='yandex.ru' |>] |>>, <TLSExtension type=extended_master_secret length=0x0 |>, <TLSExtension type=renegotiation_info length=0x1 |<TLSExtRenegotiationInfo length=0x0 |>>, <TLSExtension type=supported_groups length=0x14 |<TLSExtEllipticCurves length=0x12 elliptic_curves=['ecdh_x25519', 'secp256r1', 'secp384r1', 'secp521r1', 'ffdhe2048', 'ffdhe3072', 'ffdhe4096', 'ffdhe6144', 'ffdhe8192'] |>>, <TLSExtension type=ec_point_formats length=0x2 |<TLSExtECPointsFormat length=0x1 ec_point_formats=['uncompressed'] |>>, <TLSExtension type=SessionTicket_TLS length=0x0 |>, <TLSExtension type=application_layer_protocol_negotiation length=0x17 |<TLSExtALPN length=0x15 protocol_name_list=[<TLSALPNProtocol length=0x2 data='h2' |>, <TLSALPNProtocol length=0x8 data='spdy/3.1' |>, <TLSALPNProtocol length=0x8 data='http/1.1' |>] |>>, <TLSExtension type=status_request length=0x5 |<Raw load='\x01\x00\x00\x00\x00' |>>, <TLSExtension type=0x28 length=0x26 |<Raw load='\x00$\x00\x1d\x00 \x86\xd4G>\x04g@\xf3\x8f\xfdiv(\x91j\xedI\x08\x03\xc8\xd3\x0f\x8b\xf4\xd7kM\x07\xa7Jea' |>>, <TLSExtension type=0x2b length=0x9 |<Raw load='\x08\x7f\x12\x03\x03\x03\x02\x03\x01' |>>, <TLSExtension type=signature_algorithms length=0x20 |<TLSExtSignatureAndHashAlgorithm length=0x1e algs=[<TLSSignatureHashAlgorithm hash_alg=sha256 sig_alg=ecdsa |>, <TLSSignatureHashAlgorithm hash_alg=sha384 sig_alg=ecdsa |>, <TLSSignatureHashAlgorithm hash_alg=sha512 sig_alg=ecdsa |>, <TLSSignatureHashAlgorithm hash_alg=sha1 sig_alg=ecdsa |>, <TLSSignatureHashAlgorithm hash_alg=8 sig_alg=4 |>, <TLSSignatureHashAlgorithm hash_alg=8 sig_alg=5 |>, <TLSSignatureHashAlgorithm hash_alg=8 sig_alg=6 |>, <TLSSignatureHashAlgorithm hash_alg=sha256 sig_alg=rsa |>, <TLSSignatureHashAlgorithm hash_alg=sha384 sig_alg=rsa |>, <TLSSignatureHashAlgorithm hash_alg=sha512 sig_alg=rsa |>, <TLSSignatureHashAlgorithm hash_alg=sha1 sig_alg=rsa |>, <TLSSignatureHashAlgorithm hash_alg=sha256 sig_alg=dsa |>, <TLSSignatureHashAlgorithm hash_alg=sha384 sig_alg=dsa |>, <TLSSignatureHashAlgorithm hash_alg=sha512 sig_alg=dsa |>, <TLSSignatureHashAlgorithm hash_alg=sha1 sig_alg=dsa |>] |>>, <TLSExtension type=0x2d length=0x2 |<Raw load='\x01\x01' |>>] |>>>] |>>>>
>>>
583.pcap.zip TLS protocol is properly parsed for package no. 3 of file RSA_WITH_AES_128_CBC_SHA.pcap but not for my capture (firefox talking TLS 1.2 to proxy).
For instance, code
rdpcap('583.pcap')[0].show()shows TLS as raw bytes.However, I managed to forcefully parse the package:
I get output that looks good:
Probably TLS autodetection does not work while
do_dissect()method works fine. I use commit 628ff4ee2 installed with method 2 over gentoo'ish scapy-2.3.2 if it matters.