Tls_leftover_len = (pkt.I want to decrypt HTTPS traffic for my domain on my server with scapy. Tls_leftover_len = (tls_leftover_len - pkt_payload_len) Pkt_payload_len = (pkt.len - ip_tcp_hdr_overhead) # tls frame accumulation related variables. Please follow Janus's suggestion (mentioned in the comments below) or come up with your own solution to accumulate different the streams. The code below only shows how to accumulate TLS frames when they span multiple IP packets for a single TCP stream. Also, the solution shown here is not complete. Note: This solution assumes there are no misordered packets or duplicates.
The accumulated frame-sizes seem to agree with what Wireshark does when it reassembles TLS frame from multiple packets. Not sure if there is a better solution, but here's what I did to get around my problem. Is there a way for me to accurately identify a packet as a partial tls-segment and accumulate and then process the complete TLS frame similar to wireshark? If so, how do I go about it. When it encounters a partial TLS packet, the code always falls through to the SSLv2. I have something like this in my code: if pkt.haslayer(TCP) and pkt.haslayer(TLS):Įlif pkt.haslayer(TCP) and pkt.haslayer(SSLv2):
Wireshark is reassembly the entire TLS payload before it parses the TLS frame. Where T is the combined total X, Y, Z are frame-ids and x,y,z are number of bytes in each frame that contributed to the total T. When I look at the same pcap in wireshark, wireshark displays Reassembled TCP segments (T bytes): #X (x), #Y(y), #Z(z)
In such cases, scapy says it has the TLS/SSLv2 layer, but I am unable to extract any meaningful information from such frames. This happens mostly for large TLS messages, such as application data or when server sends multiple TLS messages (server hello, certificate, etc) in one TLS frame. What I am having trouble with is when the TLS record is spread across multiple TCP packets/segments. I am able to successfully parse the packets and individual messages such as the client-hello, server-hello etc and their fields. I am trying to extract TLS meta-data from a pcap using Scapy.
0 kommentar(er)
