Centos7 parses QUIC messages using pyshark

1: Environmental preparation

pyshark can be used to parse messages. If it is a common protocol such as HTTP and HTTPS, the normal version can also be done. However, if I want to parse a relatively new protocol, such as QUIC, I have to use a relatively new tshark version.

The environment for this practice is CentOS 7, and the tshark version installed is 3.2 3. The source code installation method is adopted

1. Download the installation package


2. Installation dependency

yum install cmake3 libpcap libgcrypt-devel glib2-devel qt-devel qt5-qtbase-devel qt5-linguist qt5-qtmultimedia-devel qt5-qtsvg-devel libcap-devel libcap-ng-devel gnutls-devel krb5-devel libxml2-devel lua-devel lz4-devel snappy-devel spandsp-devel libssh2-devel bcg729-devel libmaxminddb-devel sbc-devel libsmi-devel libnl3-devel libnghttp2-devel libssh-devel libpcap-devel c-ares-devel redhat-rpm-config rpm-build gtk+-devel gtk3-devel desktop-file-utils portaudio-devel rubygem-asciidoctor docbook5-style-xsl docbook-style-xsl systemd-devel gcc gcc-c++ flex bison doxygen gettext-devel libxslt cmake

3. Install wireshark from the source code

tar -xvf wireshark-3.2.3.tar.xz 
cd wireshark-3.2.3
cmake3 .
make -i -j 16 
make install

Note: during the installation process, do not paste and copy the above commands, especially when cmake3 is executed, the required libraries and dependencies will be checked, and a prompt of success or failure will be given at the end of cmake3

For example, I encountered many errors, but the prompt was also obvious

If all the above are successfully executed, check the tshark version

[root@g7j9z sbin]# tshark -v
Running as user "root" and group "root". This could be dangerous.
TShark (Wireshark) 3.2.3 (Git commit f39b50865a13)

Copyright 1998-2020 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.56.1, with zlib 1.2.7, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.1.4, with GnuTLS 3.3.29, with Gcrypt 1.5.3, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.33.0, without brotli, with LZ4, without Zstandard, with
Snappy, with libxml2 2.9.1.

Running on Linux 3.10.0-327.el7.x86_64, with Intel(R) Xeon(R) CPU E5-2630 v4 @
2.20GHz (with SSE4.2), with 322184 MB of physical memory, with locale
en_US.UTF-8, with libpcap version 1.5.3, with GnuTLS 3.3.29, with Gcrypt 1.5.3,
with zlib 1.2.7, binary plugins supported (0 loaded).

Built using gcc 4.8.5 20150623 (Red Hat 4.8.5-44).

4. Install pyshark

[root@g7j9z quicParas]# pip3 install pyshark
Collecting pyshark
  Downloading https://mirrors.zte.com.cn/pypi/packages/e5/96/ebc5fb6cd63242c6851acdfa8a0ac14fbaec2d6c53f6d64d0a5ca06cd1af/pyshark-0.4.3-py3-none-any.whl
Collecting py (from pyshark)
  Downloading https://mirrors.zte.com.cn/pypi/packages/67/32/6fe01cfc3d1a27c92fdbcdfc3f67856da8cbadf0dd9f2e18055202b2dc62/py-1.10.0-py2.py3-none-any.whl (97kB)
    100% |████████████████████████████████| 102kB 2.8MB/s
Collecting lxml (from pyshark)
  Downloading https://mirrors.zte.com.cn/pypi/packages/bd/78/56a7c88a57d0d14945472535d0df9fb4bbad7d34ede658ec7961635c790e/lxml-4.6.2-cp36-cp36m-manylinux1_x86_64.whl (5.5MB)
    100% |████████████████████████████████| 5.5MB 3.5MB/s
Installing collected packages: py, lxml, pyshark
Successfully installed lxml-4.6.2 py-1.10.0 pyshark-0.4.3

2: Parsing QUIC

The quic version parsed this time is Q023, and other versions of quic have not been tried

You can look at the message opened by wireshark first

The next step is to try to unpack with pyshark

1. Open the local pcap file

cap = pyshark.FileCapture('./gquic_q023.pcap')[0]

We only take the first packet of the message for experiment this time, and take the index 0

2. Locate the application layer of QUIC

We can first look at which properties and methods are supported

>>> cap = pyshark.FileCapture('./gquic_q023.pcap')[0]
>>> dir(cap)
['__bool__', '__class__', '__contains__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattr__', '__getattribute__', '__getitem__', '__getstate__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__len__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__setstate__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_packet_string', 'captured_length', 'eth', 'frame_info', 'get_multiple_layers', 'get_raw_packet', 'gquic', 'highest_layer', 'interface_captured', 'ip', 'layers', 'length', 'number', 'pretty_print', 'show', 'sniff_time', 'sniff_timestamp', 'transport_layer', 'udp']

There's a highest in it_ Layer is to locate to the application layer

We can print it

>>> cap.highest_layer

3. Obtain QUIC layer code stream


We can print the parsed QUIC field

For example, if we want to get the SNI field of QUIC, we can call it directly

>>> cap[cap.highest_layer].tag_sni

Next, let's look at a complete analysis code and its printing

import pyshark

# Open the stored capture file
cap = pyshark.FileCapture('./gquic_q023.pcap')[0]
print("*****************GQUIC LAYER PRINT*******************")
print("*****************GQUIC LAYER PRINT*******************")
print("QUIC SNI:",cap[cap.highest_layer].tag_sni)
[root@g7j9z quicParas]# python3 quicParac.py
*****************GQUIC LAYER PRINT*******************
Layer GQUIC:
        Public Flags: 0x0d
        .... ...1 = Version: Yes
        .... ..0. = Reset: No
        .... 11.. = CID Length: 8 Bytes (0x3)
        ..00 .... = Packet Number Length: 1 Byte (0x0)
        .0.. .... = Multipath: No
        0... .... = Reserved: 0x0
        CID: 10123107773473542882
        Version: Q023
        Packet Number: 1
        Message Authentication Hash: 020e7c2363fc8725a6caf935
        Private Flags: 0x01
        .... ...1 = Entropy: Yes
        .... ..0. = FEC Group: No
        .... .0.. = FEC: No
        0000 0... = Reserved: 0x00
        STREAM (Special Frame Type) Stream ID: 1, Type: CHLO (Client Hello)
        Frame Type: STREAM (Special Frame Type) (0xa0)
        1... .... = Stream: True
        .0.. .... = FIN: False
        ..1. .... = Data Length: 2 Bytes
        ...0 00.. = Offset Length: 0 Byte (0)
        .... ..00 = Stream Length: 1 Byte (0)
        Stream ID: 1 (Reserved for (G)QUIC handshake, crypto, config updates...)
        Data Length: 1300
        Tag: CHLO (Client Hello)
        Tag Number: 5
        Padding: 0000
        Tag/value: PAD (Padding) (l=1210)
        Tag Type: PAD (Padding)
        Tag offset end: 1210
        Tag length: 1210
        Tag/value: 2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d\xe2\x80\xa6
        Padding: 2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d\xe2\x80\xa6
        Server Name Indication: www.googleapis.com
        Version: Q023
        Common certificate sets: 0x399ff95340f7fec9
        Proof demand: X509
        Padding Length: 18
        Padding: 000000000000000000000000000000000000
        PADDING Length: 18
        Frame Type: PADDING (0x00)
        Tag/value: SNI (Server Name Indication) (l=18): www.googleapis.com
        Tag/value: VER (Version) (l=4): Q023
        Tag/value: CCS (Common Certificate Sets) (l=16)
        Tag/value: PDMD (Proof Demand) (l=4): X509
        Tag Type: SNI (Server Name Indication)
        Tag Type: VER (Version)
        Tag Type: CCS (Common Certificate Sets)
        Tag Type: PDMD (Proof Demand)
        Tag offset end: 1228
        Tag offset end: 1232
        Tag offset end: 1248
        Tag offset end: 1252
        Tag length: 18
        Tag length: 4
        Tag length: 16
        Tag length: 4
        Tag/value: 7777772e676f6f676c65617069732e636f6d
        Tag/value: 51303233
        Tag/value: 399ff95340f7fec97b26e9e7e45c71ff
        Tag/value: 58353039
        Common certificate sets: 0x7b26e9e7e45c71ff

*****************GQUIC LAYER PRINT*******************
QUIC SNI: www.googleapis.com

3: Summary

If you have used scapy, you can see whether it is very familiar with the above. The strength of pyshark is that you can call all the packet decoders built in tshark. This paper just takes pyshark as an example to unpack. Its purpose can be more than that. You can also use pyshark to sniff on the network interface. In addition, it should be noted that with the continuous updating of the protocol, since its decoding function depends on tshark, if it is necessary to parse a relatively new protocol, we need to upgrade tshark synchronously (provided that the new version supports parsing). After all, the technology is developing, and we should update it frequently.

Keywords: Python centos7 quic

Added by novice@work on Fri, 24 Dec 2021 11:49:41 +0200