This repository has been archived by the owner on Jul 11, 2023. It is now read-only.
Grains: TLS
Peter Parkanyi edited this page Jul 27, 2018
·
2 revisions
The TLS grain tracks TLS handshakes, and extracts information about ClientHello and ServerHello packets using the socket filter EBPF interface.
Due to the limitations of this interface, most of the parsing is done in userspace, and since it lacks PID information, to acquire that insight, aggregation is needed with information from other grains.
An example ClientHello payload looks like this:
{'kind': 5,
'measurement': 1,
'name': 'tls.handshake.clienthello_count',
'tags': {'ciphersuites_list': 'Unknown(23130),TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,...',
'd_ip': '52.91.199.226',
'd_port': '443',
's_ip': '192.168.114.133',
's_port': '33426',
'sni_list': 'sock137-mt1.pusher.com'},
'timestamp': 1532605469234678603}
A ServerHello will looks like this:
{'kind': 5,
'measurement': 1,
'name': 'tls.handshake.serverhello_count',
'tags': {'alpn_str': 'h2',
'ciphersuite_str': 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'd_ip': '192.168.114.133',
'd_port': '40370',
's_ip': '52.222.242.204',
's_port': '443'},
'timestamp': 1532605486962705272}
The alpn_str
field may be missing if ALPN information is not returned in the payload.