tshark日志跟踪&分析——SSL

日志名称：ssldebug.log

 

启动指令：

tshark -o "ssl.desegment_ssl_records:TRUE" -o "ssl.desegment_ssl_application_data:TRUE" -o "ssl.keys_list:10.21.17.209,7443,http,c:/temp/kestore-export.key" -o "ssl.debug_file:ssldebug.log" -i \Device\NPF_{880A3C4D-6417-486D-8119-9176F1BE32D3} -V  > 3.txt

 

16:59:42 dissect_ssl enter frame #1110 (first time)
16:59:42 association_find: TCP port 53175 found 00000000
16:59:42 packet_from_server: is from server - FALSE
16:59:42   conversation = 0BC57D10, ssl_session = 0BC582D0
16:59:42   record: offset = 0, reported_length_remaining = 180
16:59:42 dissect_ssl3_record: coming
16:59:42 dissect_ssl3_record: content_type 22 Handshake
16:59:42 SSL_ID_HANDSHAKE [22].
16:59:42 Calculating hash with offset 5 175
16:59:42 decrypt_ssl3_record: app_data len 175, ssl state 0x00
16:59:42 association_find: TCP port 53175 found 00000000
16:59:42 packet_from_server: is from server - FALSE
16:59:42 decrypt_ssl3_record: using client decoder
16:59:42 decrypt_ssl3_record: no decoder available
16:59:42 dissect_ssl3_handshake iteration 1 type 1 offset 5 length 171 bytes, remaining 180
16:59:42 ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

备注：dissect_ssl3_record: content_type 22 Handshake
      dissect_ssl3_handshake iteration 1 type 1 offset 5 length 171 bytes, remaining 180
      这里的type 1表示client hello消息类型

16:59:42 dissect_ssl enter frame #1112 (first time)
16:59:42 packet_from_server: is from server - TRUE
16:59:42   conversation = 0BC57D10, ssl_session = 0BC582D0
16:59:42   record: offset = 0, reported_length_remaining = 985
16:59:42 dissect_ssl3_record: coming
16:59:42 dissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x91
16:59:42 dissect_ssl3_record: content_type 22 Handshake
16:59:42 SSL_ID_HANDSHAKE [22].
16:59:42 Calculating hash with offset 5 980
16:59:42 decrypt_ssl3_record: app_data len 980, ssl state 0x91
16:59:42 packet_from_server: is from server - TRUE
16:59:42 decrypt_ssl3_record: using server decoder
16:59:42 decrypt_ssl3_record: no decoder available
16:59:42 dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes, remaining 985
16:59:42 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
16:59:42 ssl_dissect_hnd_srv_hello found CIPHER 0x009C TLS_RSA_WITH_AES_128_GCM_SHA256 -> state 0x97
16:59:42 dissect_ssl3_handshake iteration 0 type 11 offset 90 length 887 bytes, remaining 985
lookup(KeyID)[20]:
| c8 7d 66 f3 04 f1 d4 74 68 ed 06 d6 46 d8 17 5e |.}f....th...F..^|
| 72 60 55 b7                                     |r`U.            |
16:59:42 ssl_find_private_key_by_pubkey: lookup result: 0A02E850
16:59:42 dissect_ssl3_handshake iteration 0 type 14 offset 981 length 0 bytes, remaining 985
16:59:42

备注：dissect_ssl3_record: content_type 22 Handshake
      dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes, remaining 985
      dissect_ssl3_handshake iteration 0 type 11 offset 90 length 887 bytes, remaining 985
      dissect_ssl3_handshake iteration 0 type 14 offset 981 length 0 bytes, remaining 985
      这里的type 2表示server hello消息类型、type 11表示SSL_HND_CERTIFICATE、type 14表示SSL_HND_SVR_HELLO_DONE
      dissect_ssl3_handshake函数中有个while，根据数据偏移量解析响应的包，会以此进入type=2、11、14

16:59:42 dissect_ssl enter frame #1114 (first time)
16:59:42 packet_from_server: is from server - FALSE
16:59:42   conversation = 0BC57D10, ssl_session = 0BC582D0
16:59:42   record: offset = 0, reported_length_remaining = 318
16:59:42 dissect_ssl3_record: coming
16:59:42 dissect_ssl3_record: content_type 22 Handshake
16:59:42 SSL_ID_HANDSHAKE [22].
16:59:42 Calculating hash with offset 5 262
16:59:42 decrypt_ssl3_record: app_data len 262, ssl state 0x397
16:59:42 packet_from_server: is from server - FALSE
16:59:42 decrypt_ssl3_record: using client decoder
16:59:42 decrypt_ssl3_record: no decoder available
16:59:42 dissect_ssl3_handshake iteration 1 type 16 offset 5 length 258 bytes, remaining 267
16:59:42 ssl_dissect_hnd_cli_keyex can't session->cipher [156]
备注：type 16表示SSL_HND_CLIENT_KEY_EXCHG
16:59:42 ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 397
16:59:42 ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
pre master encrypted[256]:
16:59:42 ssl_decrypt_pre_master_secret: RSA_private_decrypt
decrypted_unstrip_pre_master[255]:
16:59:42 pcry_private_decrypt: stripping 207 bytes, decr_len 255
pre master secret[48]:
备注：dissect_ssl函数中的while函数，会多次取tvbuff数据，content_type 20 Change Cipher Spec
          对应代码:ssl_debug_printf("  record: offset = %d, reported_length_remaining = %d\n", offset, tvb_reported_length_remaining(tvb, offset));
16:59:42   record: offset = 267, reported_length_remaining = 51
16:59:42 dissect_ssl3_record: coming
16:59:42 dissect_ssl3_record: content_type 20 Change Cipher Spec
16:59:42 SSL_ID_CHG_CIPHER_SPEC Change Cipher Spec [20].
16:59:42 ssl_finalize_decryption state = 0x3D7
16:59:42 ssl_generate_keyring_material:PRF(pre_master_secret_extended)
pre master secret[48]:
16:59:42 tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 54 )
tls_hash: hash secret[48]:
tls_hash: hash seed[54]:
hash out[48]:
PRF out[48]:
master secret[48]:
16:59:42 ssl_generate_keyring_material sess key generation
16:59:42 tls12_prf: tls_hash(hash_alg SHA256 secret_len 48 seed_len 77 )
tls_hash: hash secret[48]:
tls_hash: hash seed[77]:
hash out[104]:
PRF out[104]:
key expansion[104]:
Client Write key[16]:
Server Write key[16]:
Client Write IV[4]:
Server Write IV[4]:
16:59:42 ssl_generate_keyring_material ssl_create_decoder(client)
16:59:42 ssl_create_decoder CIPHER: AES
16:59:42 decoder initialized (digest len 32)
16:59:42 ssl_generate_keyring_material ssl_create_decoder(server)
16:59:42 ssl_create_decoder CIPHER: AES
16:59:42 decoder initialized (digest len 32)
16:59:42 ssl_generate_keyring_material: client seq 0, server seq 0
16:59:42 ssl_save_master_key inserted (pre-)master secret for Client Random
stored key[32]:
stored (pre-)master secret[48]:
16:59:42 ssl_save_master_key inserted (pre-)master secret for Session ID
stored key[32]:
stored (pre-)master secret[48]:
16:59:42 packet_from_server: is from server - FALSE
16:59:42 ssl_change_cipher CLIENT
备注：dissect_ssl函数中的while函数，会多次取tvbuff数据， content_type 22 Handshake 
          dissect_ssl3_handshake iteration 1 type 20对应SSL_HND_FINISHED
16:59:42   record: offset = 273, reported_length_remaining = 45
16:59:42 dissect_ssl3_record: coming
16:59:42 dissect_ssl3_record: content_type 22 Handshake
16:59:42 SSL_ID_HANDSHAKE [22].
16:59:42 decrypt_ssl3_record: app_data len 40, ssl state 0x3BF
16:59:42 packet_from_server: is from server - FALSE
16:59:42 decrypt_ssl3_record: using client decoder
16:59:42 ssl_decrypt_record ciphertext len 40
Ciphertext[40]:
16:59:42 ssl_decrypt_record: allocating 72 bytes for decrypt data (old len 32)
Plaintext[32]:
16:59:42 dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16
16:59:42

dissect_ssl enter frame #1115 (first time)
16:59:42 packet_from_server: is from server - TRUE
16:59:42   conversation = 0BC57D10, ssl_session = 0BC582D0
16:59:42   record: offset = 0, reported_length_remaining = 6
16:59:42 dissect_ssl3_record: coming
16:59:42 dissect_ssl3_record: content_type 20 Change Cipher Spec
16:59:42 SSL_ID_CHG_CIPHER_SPEC Change Cipher Spec [20].
16:59:42 ssl_dissect_change_cipher_spec Not using Session resumption
16:59:42 ssl_finalize_decryption state = 0x3BF
16:59:42   session key already available, nothing to do.
16:59:42 packet_from_server: is from server - TRUE
16:59:42 ssl_change_cipher SERVER
16:59:42
备注：dissect_ssl3_record: content_type 20 Change Cipher Spec 对应 Change Cipher Spec
      服务端发送Change Cipher Spec

dissect_ssl enter frame #1117 (first time)
17:49:28 packet_from_server: is from server - TRUE
17:49:28   conversation = 0C308D10, ssl_session = 0C3092D0
17:49:28   record: offset = 0, reported_length_remaining = 45
17:49:28 dissect_ssl3_record: coming
17:49:28 dissect_ssl3_record: content_type 22 Handshake
17:49:28 SSL_ID_HANDSHAKE [22].
17:49:28 decrypt_ssl3_record: app_data len 40, ssl state 0x3BF
17:49:28 packet_from_server: is from server - TRUE
17:49:28 decrypt_ssl3_record: using server decoder
17:49:28 ssl_decrypt_record ciphertext len 40
Ciphertext[40]:
| 00 00 00 00 00 00 00 00 25 41 3b 0e e8 e5 55 47 |........%A;...UG|
| 01 fa f5 8d 1e 65 4a ab f8 0e d7 45 e9 8d a7 a6 |.....eJ....E....|
| 3a c4 5f b3 d1 50 c7 8e                         |:._..P..        |
Plaintext[32]:
| 14 00 00 0c bf fd 3b ce bc 42 63 63 bb 9c c0 c2 |......;..Bcc....|
| 3f 92 35 b4 56 22 de 03 73 0f 02 be 95 35 31 16 |?.5.V"..s....51.|
17:49:28 dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16 

备注：服务端过来的finished标识

 

17:49:28 dissect_ssl enter frame #1119 (first time)
17:49:28 packet_from_server: is from server - FALSE
17:49:28   conversation = 0C308D10, ssl_session = 0C3092D0
17:49:28   record: offset = 0, reported_length_remaining = 402
17:49:28 dissect_ssl3_record: coming
17:49:28 dissect_ssl3_record: content_type 23 Application Data
17:49:28 SSL_ID_APP_DATA [23].
17:49:28 decrypt_ssl3_record: app_data len 397, ssl state 0x3BF
17:49:28 packet_from_server: is from server - FALSE
17:49:28 decrypt_ssl3_record: using client decoder
17:49:28 ssl_decrypt_record ciphertext len 397
Ciphertext[397]:
17:49:28 ssl_decrypt_record: allocating 429 bytes for decrypt data (old len 72)
Plaintext[389]:
| 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a |GET / HTTP/1.1..|
| 48 6f 73 74 3a 20 31 30 2e 32 31 2e 31 37 2e 32 |Host: 10.21.17.2|
..........
17:49:28 ssl_add_data_info: new data inserted data_len = 373, seq = 0, nxtseq = 373
17:49:28 association_find: TCP port 53175 found 00000000
17:49:28 association_find: TCP port 7443 found 0AC73F00
17:49:28 dissect_ssl3_record decrypted len 373
17:49:28 process_ssl_payload: found handle 09577E30 (http)
17:49:28 packet_from_server: is from server - FALSE

备注：客户端发的http请求消息“GET / HTTP/1.1.” content_type 23 Application Data

17:49:28 dissect_ssl enter frame #1120 (first time)
17:49:28 packet_from_server: is from server - TRUE
17:49:28   conversation = 0C308D10, ssl_session = 0C3092D0
17:49:28   record: offset = 0, reported_length_remaining = 179
17:49:28 dissect_ssl3_record: coming
17:49:28 dissect_ssl3_record: content_type 23 Application Data
17:49:28 SSL_ID_APP_DATA [23].
17:49:28 decrypt_ssl3_record: app_data len 174, ssl state 0x3BF
17:49:28 packet_from_server: is from server - TRUE
17:49:28 decrypt_ssl3_record: using server decoder
17:49:28 ssl_decrypt_record ciphertext len 174
Ciphertext[174]:
Plaintext[166]:
| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.|
17:49:28 ssl_add_data_info: new data inserted data_len = 150, seq = 0, nxtseq = 150
17:49:28 dissect_ssl3_record decrypted len 150

备注：服务端返回消息头“HTTP/1.1 200 OK.” content_type 23 Application Data

17:49:28 dissect_ssl enter frame #1131 (first time)
17:49:28 packet_from_server: is from server - TRUE
17:49:28   conversation = 0C308D10, ssl_session = 0C3092D0
17:49:28   record: offset = 0, reported_length_remaining = 3067
17:49:28 dissect_ssl3_record: coming
17:49:28 dissect_ssl3_record: content_type 23 Application Data
17:49:28 SSL_ID_APP_DATA [23].
17:49:28 decrypt_ssl3_record: app_data len 3062, ssl state 0x3BF
17:49:28 packet_from_server: is from server - TRUE
17:49:28 decrypt_ssl3_record: using server decoder
17:49:28 ssl_decrypt_record ciphertext len 3062
Ciphertext[3062]:
Plaintext[3054]:
17:49:28 ssl_add_data_info: new data inserted data_len = 3038, seq = 8355, nxtseq = 11393
17:49:28 dissect_ssl3_record decrypted len 3038

备注：数据量大的话，会有多次数据解析

由于是多次打开cap文件，所以时间对应不上，属于正常现象