The ssldump tool is not perfect although. It can produce only text output. The output is a mixture of SSL handshaking requests and data connections.
This little tool https://github.com/akozadaev/ssld-extract can help to extract a single SSL session. An example usage is provided below.
root@server:~/ssld-extract/# ssldump -n -r example1.pcap > example1.pcap.txt
root@server:~/ssld-extract/pp# python ssld-extract.py -c -n1 ~/ssld-extract/example1.pcap.txt
New TCP connection #1: 192.168.0.2(57122) <-> 72.26.232.202(443)
1 1 0.1946 (0.1946) C>S Handshake
ClientHello
Version 3.1
resume [32]=
7b 9a 08 2f 3f c0 5e 70 c8 9e b6 f8 61 a0 4e 9e
d9 84 07 e5 94 13 f8 e8 87 33 96 0d f4 a4 9f 6a
cipher suites
Unknown value 0xc00a
Unknown value 0xc014
Unknown value 0x88
Unknown value 0x87
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Unknown value 0xc012
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
...
compression methods
NULL
1 2 0.3973 (0.2027) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
d4 65 5e b6 3d 33 88 8c bd 7e 56 65 13 71 9f 52
30 47 ea e1 c0 d6 1f 72 12 b9 2f 8f 6b 42 b2 68
cipherSuite TLS_RSA_WITH_RC4_128_SHA
compressionMethod NULL
1 3 0.3974 (0.0001) S>C Handshake
Certificate
1 4 0.3974 (0.0000) S>C Handshake
ServerHelloDone
1 5 0.4006 (0.0031) C>S Handshake
ClientKeyExchange
1 6 0.4006 (0.0000) C>S ChangeCipherSpec
1 7 0.4006 (0.0000) C>S Handshake
1 8 0.5794 (0.1788) S>C ChangeCipherSpec
1 9 0.5794 (0.0000) S>C Handshake
1 10 0.5814 (0.0019) C>S application_data
1 11 0.5819 (0.0004) C>S application_data
1 12 0.7806 (0.1987) S>C application_data
As you can see it was able to extract the single connection what is a huge help if you need to analyze a big tcpdump file.
Posts
No comments:
Post a Comment