Added basic parsing for TLS messages

Author: shadowy-pycoder

Makefile

@@ -1,19 +1,24 @@
-APP_NAME?=mshark
+APP_NAME=mshark
 
 all: build
 
+.PHONY: build
 build: 
 	CGO_ENABLED=0 go build -ldflags "-s -w" -trimpath -o ./bin/${APP_NAME} ./cmd/${APP_NAME}/*.go
 
+.PHONY: setcap
 setcap:
 	sudo setcap cap_net_raw+ep ./bin/${APP_NAME}
 
+.PHONY: create
 create:
 	go test -c -race && sudo setcap cap_net_raw+ep mshark.test
 
+.PHONY: bench
 bench: create
 	./mshark.test -test.bench=. -test.benchmem -test.run=^$$ -test.benchtime 1000x \
 	-test.cpuprofile='cpu.prof' -test.memprofile='mem.prof'
 
-clear:
+.PHONY: clean
+clean:
 	rm -v *.txt *.pcap*

layers/dns.go

@@ -200,7 +200,7 @@ func (d *DNSMessage) String() string {
 		d.ANCount,
 		d.NSCount,
 		d.ARCount,
-		d.rrecords(),
+		d.printRecords(),
 	)
 }
 
@@ -272,7 +272,7 @@ func (d *DNSMessage) NextLayer() (string, []byte) {
 	return "", nil
 }
 
-func (d *DNSMessage) rrecords() string {
+func (d *DNSMessage) printRecords() string {
 	var sb strings.Builder
 	if d.QDCount > 0 {
 		sb.WriteString("- Queries:\n")

layers/http.go

@@ -22,7 +22,7 @@ func (h *HTTPMessage) Summary() string {
 }
 
 func (h *HTTPMessage) ellipsify() {
-	h.summary = ellipsis
+	h.summary = contdata
 	h.data = ellipsis
 }
 

layers/layers.go

@@ -31,6 +31,7 @@ var (
 	dcrlf    = []byte("\r\n\r\n")
 	proto    = []byte("HTTP/1.1")
 	ellipsis = []byte("...")
+	contdata = []byte("Continuation data")
 )
 
 type Layer interface {

layers/tls.go

@@ -1,21 +1,214 @@
 package layers
 
-import "fmt"
+import (
+	"encoding/binary"
+	"fmt"
+	"strings"
+)
+
+type Record struct {
+	ContentType     uint8
+	ContentTypeDesc string
+	Version         uint16
+	VersionDesc     string
+	Length          uint16
+	data            []byte
+}
+
+func (r *Record) String() string {
+	return fmt.Sprintf(` - Content Type: %s (%d)
+ - Version: %s (%#04x)
+ - Length: %d`,
+		r.ContentTypeDesc,
+		r.ContentType,
+		r.VersionDesc,
+		r.Version,
+		r.Length)
+}
 
 // port 443
-type TLSMessage struct{}
+// https://tls12.xargs.org/#client-hello/annotated
+// https://tls13.xargs.org/#client-hello/annotated
+// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5
+type TLSMessage struct {
+	Records []*Record
+	Data    []byte
+}
+
+func (t *TLSMessage) String() string {
+	return fmt.Sprintf(`%s
+%s- Data: %d bytes
+`, t.Summary(), t.printRecords(), len(t.Data))
+}
 
-func (s *TLSMessage) String() string {
-	return fmt.Sprintf(`%s`, s.Summary())
+func (t *TLSMessage) Summary() string {
+	var sb strings.Builder
+	sb.WriteString("TLS Message: ")
+	if len(t.Records) == 0 {
+		sb.WriteString(fmt.Sprintf("Ignored unknown record Len: %d", len(t.Data)))
+	} else {
+		for i, rec := range t.Records {
+			if sb.Len() > 100 {
+				return sb.String()[:100] + string(ellipsis)
+			}
+			if i > 0 {
+				sb.WriteString(fmt.Sprintf("%s (%d) Len: %d ", rec.ContentTypeDesc, rec.ContentType, rec.Length))
+				continue
+			}
+			sb.WriteString(fmt.Sprintf("%s (%#04x) ", rec.VersionDesc, rec.Version))
+			if rec.ContentType == 22 {
+				hstd := hstypedesc(rec.data[0])
+				sb.WriteString(fmt.Sprintf("%s ", hstd))
+			}
+			sb.WriteString(fmt.Sprintf("%s (%d) Len: %d ",
+				rec.ContentTypeDesc,
+				rec.ContentType,
+				rec.Length))
+		}
+	}
+	return sb.String()
 }
 
-func (s *TLSMessage) Summary() string {
-	return fmt.Sprint("TLS Message:")
+func (t *TLSMessage) printRecords() string {
+	var sb strings.Builder
+
+	for _, rec := range t.Records {
+		sb.WriteString(fmt.Sprintf("- %s:\n%s\n", rec.ContentTypeDesc, rec))
+	}
+	return sb.String()
 }
+
 func (t *TLSMessage) Parse(data []byte) error {
+	t.Records = make([]*Record, 0, 5)
+	for len(data) > 0 {
+		ctype := data[0]
+		ctdesc := ctdesc(ctype)
+		if ctdesc == "Unknown" {
+			break
+		}
+		ver := binary.BigEndian.Uint16(data[1:3])
+		verdesc := verdesc(ver)
+		if verdesc == "Unknown" {
+			break
+		}
+		rlen := binary.BigEndian.Uint16(data[3:5])
+		if 5+rlen > uint16(len(data)) {
+			break
+		}
+		r := &Record{
+			ContentType:     ctype,
+			ContentTypeDesc: ctdesc,
+			Version:         ver,
+			VersionDesc:     verdesc,
+			Length:          rlen,
+			data:            data[5 : 5+rlen],
+		}
+		t.Records = append(t.Records, r)
+		data = data[5+rlen:]
+	}
+	t.Data = data
 	return nil
 }
 
 func (t *TLSMessage) NextLayer() (string, []byte) {
 	return "", nil
 }
+
+func ctdesc(ct uint8) string {
+	// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5
+	var ctdesc string
+	switch ct {
+	case 20:
+		ctdesc = "Change Cipher Spec"
+	case 21:
+		ctdesc = "Alert"
+	case 22:
+		ctdesc = "Handshake"
+	case 23:
+		ctdesc = "Application Data"
+	case 24:
+		ctdesc = "Heartbeat"
+	case 25:
+		ctdesc = "tls12_cid"
+	case 26:
+		ctdesc = "ACK"
+	default:
+		ctdesc = "Unknown"
+	}
+	return ctdesc
+}
+
+func verdesc(ver uint16) string {
+	var verdesc string
+	switch ver {
+	case 0x0300:
+		verdesc = "SSL 3.0"
+	case 0x0301:
+		verdesc = "TLS 1.0"
+	case 0x0302:
+		verdesc = "TLS 1.1"
+	case 0x0303:
+		verdesc = "TLS 1.2"
+	default:
+		verdesc = "Unknown"
+	}
+	return verdesc
+}
+
+func hstypedesc(hstype uint8) string {
+	// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-7
+	var hstypedesc string
+	switch hstype {
+	case 0:
+		hstypedesc = "Hello request"
+	case 1:
+		hstypedesc = "Client hello"
+	case 2:
+		hstypedesc = "Server hello"
+	case 3:
+		hstypedesc = "Hello verify request"
+	case 4:
+		hstypedesc = "New session ticket"
+	case 5:
+		hstypedesc = "End of early data"
+	case 6:
+		hstypedesc = "Hello retry request"
+	case 8:
+		hstypedesc = "Encrypted extensions"
+	case 9:
+		hstypedesc = "Request connection id"
+	case 10:
+		hstypedesc = "New connection id"
+	case 11:
+		hstypedesc = "Certificate"
+	case 12:
+		hstypedesc = "Server key exchange"
+	case 13:
+		hstypedesc = "Certificate request"
+	case 14:
+		hstypedesc = "Server hello done"
+	case 15:
+		hstypedesc = "Certificate verify"
+	case 16:
+		hstypedesc = "Client key exchange"
+	case 17:
+		hstypedesc = "Client certificate request"
+	case 20:
+		hstypedesc = "Finished"
+	case 21:
+		hstypedesc = "Certificate url"
+	case 22:
+		hstypedesc = "Certificate status"
+	case 23:
+		hstypedesc = "Supplemental data"
+	case 24:
+		hstypedesc = "Key update"
+	case 25:
+		hstypedesc = "Compressed certificate"
+	case 26:
+		hstypedesc = "EKT key"
+	default:
+		hstypedesc = "Unknown"
+	}
+	return hstypedesc
+}

mshark.go

@@ -86,7 +86,7 @@ func (mw *Writer) WritePacket(timestamp time.Time, data []byte) error {
 	mw.printPacket(next, layerNum)
 	for {
 		name, data := next.NextLayer()
-		if name == "" || len(data) == 0 {
+		if name == "" || data == nil || len(data) == 0 {
 			return nil
 		}
 		next = layers.LayerMap[name]