static void Main(string[] args) { if (args.Length != 2) { PrintUsage(); return; } var modelContext = TlsConversationContext.CreateInMemory(); if (String.Equals("extract", args[0], StringComparison.InvariantCultureIgnoreCase)) { var filepath = args[1]; var frameKeyProvider = new FrameKeyProvider(); var keyFile = Path.ChangeExtension(filepath, "key"); var secretMap = File.Exists(keyFile) ? TlsMasterSecretMap.LoadFromFile(keyFile): new TlsMasterSecretMap(); var packets = FastPcapFileReaderDevice.ReadAll(args[1]).Select((p, i) => (Key: frameKeyProvider.GetKey(p), Value: (Meta: new PacketMeta { Number = i + 1, Timestamp = p.Timestamp }, Packet: p))); var flows = from packet in packets group packet by packet.Key; var conversations = TcpStreamConversation.CreateConversations(flows.ToDictionary(x => x.Key, x => x.Select(y => y.Value))); foreach (var conversation in conversations) { var modelBuilder = new TlsConversationModelBuilder(modelContext); var decoderBuilder = new TlsDecoderBuilder(); var processor = new TlsSessionProcessor(modelBuilder, decoderBuilder); processor.ProcessConversation(conversation); var model = modelBuilder.ToModel(); modelContext.SaveChanges(); var tlsDecoder = decoderBuilder.ToDecoder(); var masterSecret = secretMap.GetMasterSecret(ByteString.ByteArrayToString(tlsDecoder.ClientRandom)); if (masterSecret != null) { tlsDecoder.MasterSecret = ByteString.StringToByteArray(masterSecret); var tlsSecurityParameters = TlsSecurityParameters.Create(tlsDecoder.ProtocolVersion, tlsDecoder.CipherSuite.ToString(), tlsDecoder.Compression); tlsDecoder.InitializeKeyBlock(tlsSecurityParameters); // USE TLS DECODER DumpConversationContent(tlsDecoder, conversation, processor.ClientDataRecords, processor.ServerDataRecords); } } CsvFeatureWriter.WriteCsv(Path.ChangeExtension(filepath, "csv"), modelContext); } }
private static void DumpConversationContent(TlsDecoder tlsDecoder, TcpStreamConversation conversation, IEnumerable <TlsPacket.TlsApplicationData> clientDataRecords, IEnumerable <TlsPacket.TlsApplicationData> serverDataRecords) { var convKeyString = conversation.ConversationKey.ToString().Replace('>', '_').Replace(':', '_'); var clientKeys = tlsDecoder.KeyBlock.GetClientKeys(); foreach (var clientData in clientDataRecords.Select((x, i) => (Data: x, Seqnum: i + 1))) { DumpApplicationData(tlsDecoder, clientKeys, clientData.Data, (ulong)clientData.Seqnum, $"{convKeyString}-client-{clientData.Seqnum}"); } var serverKeys = tlsDecoder.KeyBlock.GetServerKeys(); foreach (var serverData in serverDataRecords.Select((x, i) => (Data: x, Seqnum: i + 1))) { DumpApplicationData(tlsDecoder, serverKeys, serverData.Data, (ulong)serverData.Seqnum, $"{convKeyString}-server-{serverData.Seqnum}"); } }
public void ProcessConversation(TcpStreamConversation conversation) { foreach (var builder in m_builders) { builder.SetFlowKey(conversation.ConversationKey); } var clientFlow = conversation.Upflow; var tlsClientRecordCollection = ParseTlsPacket(new KaitaiStream(clientFlow)); ClientDataRecords = ProcessRecords(tlsClientRecordCollection, TlsDirection.ClientServer, clientFlow).ToList(); var serverFlow = conversation.Downflow; var tlsServerRecordCollection = ParseTlsPacket(new KaitaiStream(serverFlow)); ServerDataRecords = ProcessRecords(tlsServerRecordCollection, TlsDirection.ServerClient, serverFlow).ToList(); }