3

I'm trying to capture the unencrypted bytes of a TLS connection and record them into a cap file for analysis of the HTTP/2 traffic. There are a lot of assumptions I am making that this is even possible. But I'm willing to fudge almost everything below the HTTP/2 layer if I can see that traffic in a useful tool like Wireshark.

https://github.com/yschimke/okhttp/commit/c6b0b4c0ba3b59d44cf292955eef2685ed6094e7#diff-d4b38ff70d61641e49af93db2892080f47a2480af92ca151b2daabb50bbc459b

My approach eventually boils down to

return object : DelegatingSSLSocket(socket) {
   override fun getInputStream(): InputStream {
     return object : FilterInputStream(socket.inputStream) {
       override fun read(b: ByteArray, off: Int, len: Int): Int {
         return super.read(b, off, len).also { readLen ->
           dumper.dump(
             ipv4ReadPacketBuilder.payloadBuilder(
               tcpReadPacketBuilder
                 .payloadBuilder(
                   UnknownPacket.Builder().rawData(
                     b.sliceArray(off.rangeTo(off + readLen))
                   )
                 )
             )
               .build()
           )
         }
       }
     }
   }

   override fun getOutputStream(): OutputStream {
     return object : FilterOutputStream(socket.outputStream) {
       override fun write(b: ByteArray, off: Int, len: Int) {
         super.write(b, off, len)

         dumper.dump(
           ipv4WritePacketBuilder.payloadBuilder(
             tcpWritePacketBuilder
               .payloadBuilder(
                 UnknownPacket.Builder().rawData(b.sliceArray(off.rangeTo(off + len)))
               )
           )
             .build()
         )
       }
     }
   }
 }

Does anyone have any advice on pcap4j or pcap files generally to see what I'm doing wrong?

The packets I'm writing are IPv4>TCP>Data

tcp dump packets

But Wireshark shows

HTTP/2 preamble

Mike Doe
  • 16,349
  • 11
  • 65
  • 88
Yuri Schimke
  • 12,435
  • 3
  • 35
  • 69

1 Answers1

1

For IPv4, Version is always equal to 4. Your image states that you are trying to write IPv4 Header but hex codes shows that it is not the IPv4 header.

enter image description here

First highlighted number is 56. Instead of 5 it should be 4. Hence Wireshark is unable to detect it as a IPv4 packet.

enter image description here

Refer my below link, it will help you to understand the sample format.

How to obtain the source IP from a Wireshark dump of an HTTP GET request

For TCP, it should be 06 instead of bb.

enter image description here

Also your source IP is 0.0.0.0. It will not generate any error but you can change it as per your requirement.

enter image description here

Prasad 14723312
  • 539
  • 1
  • 3
  • 14