私はpcapファイルからデータを抽出する必要がある作業を行っています。ファイルは次のようになります。
問題は、TLSでクライアントが提供する暗号スイートを見つけることです。私が探している暗号スイートが最初のClient Helloパケットにあることを知っていますが、暗号スイートを見つける方法は?
これが私が今まで持っているものです:
tshark -r assign1.pcap | grep "Client Hello"
ファイルは次のようになります。https://ufile.io/jsfjr
答え1
次のスイッチを使用すると、tshark
Client Helloハンドシェイクの詳細なリストを取得できます。
$ tshark -r assign2.pcap -Y ssl.handshake.ciphersuites -Vx | less
less
出力を検索すると、/Client Hello
次のセクションが見つかります。
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 246
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 242
Version: TLS 1.2 (0x0303)
Random
gmt_unix_time: Mar 17, 2068 11:26:39.000000000 EDT
random_bytes: 981fbf58a3116dd17c64b602e2809de75dac922eb559a0ba...
Session ID Length: 0
Cipher Suites Length: 108
Cipher Suites (54 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: Unknown (0xcca9)
Cipher Suite: Unknown (0xcca8)
Cipher Suite: Unknown (0xccaa)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 (0x00ad)
Cipher Suite: TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 (0x00ab)
Cipher Suite: Unknown (0xccae)
Cipher Suite: Unknown (0xccad)
Cipher Suite: Unknown (0xccac)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_PSK_WITH_AES_256_GCM_SHA384 (0x00a9)
Cipher Suite: Unknown (0xccab)
Cipher Suite: TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 (0x00ac)
Cipher Suite: TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 (0x00aa)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_PSK_WITH_AES_128_GCM_SHA256 (0x00a8)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (0xc038)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA (0xc036)
Cipher Suite: TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 (0x00b7)
Cipher Suite: TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 (0x00b3)
Cipher Suite: TLS_RSA_PSK_WITH_AES_256_CBC_SHA (0x0095)
Cipher Suite: TLS_DHE_PSK_WITH_AES_256_CBC_SHA (0x0091)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA384 (0x00af)
Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA (0x008d)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (0xc037)
Cipher Suite: TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA (0xc035)
Cipher Suite: TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 (0x00b6)
Cipher Suite: TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 (0x00b2)
Cipher Suite: TLS_RSA_PSK_WITH_AES_128_CBC_SHA (0x0094)
Cipher Suite: TLS_DHE_PSK_WITH_AES_128_CBC_SHA (0x0090)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)
Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA (0x008c)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
...