TLS协议检测通过使用客户端问候消息 [英] TLS protocol detection by using client hello message
问题描述
我需要检测网络流量HTTPS数据包。直到现在我都标志认证的所有443为HTTPS,但我不希望使用的端口信息,这种情况下了。
这将足以检查客户端hello消息,如:
//检查22和版本信息0300 0301或0302
如果(分组>有效载荷[0] == 0x16&放大器;&放大器;分组>有效载荷[1] == 0×03
&功放;&安培; (分组>有效载荷[2] == 0×00 ||分组>有效载荷[2] == 0×01 ||分组>有效载荷[2] == 0×02){
INT TEMP = ntohs和(get_u16(分组>有效载荷,3))+ 5; //获取lenght
//检查lenght是有效的,第6个字节是客户端问候(这是1)
如果(温度&所述;分组> payload_length&放大器;&放大器;温度→50&放大器;&放大器;分组>有效载荷[5])== 1)
MARK AS HTTPS
}
由于我的项目的设计,我无法检查超过一包多。能否请你如果只是检查客户端问候像上面是好的,也不会建议?
由于我的项目的设计,我无法检查超过一包的更多。
能否请您告知,如果只是检查客户端问候像上面就可以了
还是不?
块引用>我假设你的意思是包而不是包。由于我们使用的是TCP这里,能够重组分段信息是必不可少的。只要你有一个工具,它只能在单一的数据包进行操作,你不能指望可靠(如在100%的时间)检测消息内容不是一个字节长。这是因为它是完全合法的TCP发送到运球字节你一个接一个......所以你需要ppared重新组合,也不知道你会错过一些信息$ P $。
I need to detect https packets in network traffic . Until now I were marking all "443" as https but I don't want to use port information for this case any more .
Will it be enough to check client hello message like :
//Check 22 and version info 0300 0301 or 0302 if (packet->payload[0] == 0x16 && packet->payload[1] == 0x03 && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || packet->payload[2] == 0x02) { int temp = ntohs(get_u16(packet->payload, 3)) + 5;//Get lenght //Check lenght is valid and 6th byte is client hello(which is 1) if (temp < packet->payload_length && temp > 50 && packet->payload[5]) == 1) MARK AS HTTPS }
Because of my project design, I can't check more than one packet. Can you please advise if just checking client hello like above is ok or not ?
解决方案Because of my project design, I can't check more than one package . Can you please advise if just checking client hello like above is ok or not ?
I assume you mean "packet" not "package." Given that we're using TCP here, being able to reassemble fragmented messages is essential. So long as you have a tool which only operates on single packets, you cannot expect to reliably (as in 100% of the time) detect message content longer than a single byte. That's because it's perfectly legal for the TCP sender to dribble the bytes to you one-by-one...so you need to be prepared to reassemble them or know that you'll miss some information.
这篇关于TLS协议检测通过使用客户端问候消息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!