What is TLS Packet Analysis with Scapy?
Scapy is a powerful interactive packet manipulation tool written in Python. It allows users to send, receive, and analyze network packets at a high level. In this example, Scapy is used to capture and analyze TLS traffic, focusing on several key aspects of the protocol.
TLS (Transport Layer Security) is a protocol used to secure communications over a network, providing encryption, authentication, and data integrity. Scapy allows us to inspect TLS handshake messages, including ClientHello and ServerHello packets, to understand the negotiation process between the client and the server.
Specifically, Scapy is used here to:
- Analyze TLS Handshakes: Capture
ClientHelloandServerHellomessages to identify supported cipher suites, TLS version, and other important metadata. - Extract SNI (Server Name Indication): Retrieve the SNI field from the
ClientHelloto determine which server the client is attempting to connect to, especially useful in environments with virtual hosting. - Identify TLS Versions: Detect the specific version of the TLS protocol being used, such as TLS 1.0, 1.2, or 1.3, to ensure secure communication standards are met.
- Verify Cipher Suites: Analyze the cipher suites proposed during the handshake to ensure that secure cryptographic algorithms are used in the session.
This type of analysis helps network administrators and security professionals understand the security posture of TLS traffic, detect potential misconfigurations, and ensure secure encryption practices are in place.
TLS Traffic Analysis with Scapy
Scapy TLSLoading code...TLS Packet Details
Example Output:
Starting packet capture on port 443... Press Ctrl+C to stop.
[+] TLS Packet Detected:
Source IP: 192.168.56.1
Destination IP: 192.168.56.101
Port: 55418
TLS Version: TLS 1.0
--------------------------------------------------
[+] TLS Packet Detected:
Source IP: 192.168.56.1
Destination IP: 192.168.56.101
Port: 443
Available Fields in ClientHello: {'msgtype': 1, 'msglen': 225, 'version': 771, 'gmt_unix_time': 3253133420, 'random_bytes': b'0@\x15vw\xba\xa3\x03A\x0e\x16\xd2t\xa4\xd9\x7f\x86~(\x1e\xa5\x85\xfa\x93\x07\x83\x94\x89', 'sidlen': 32, 'sid': b'4\xbb\xa2\x1f\xa0gy\xad\xf4\x08\xdd\xbfw\xaf\xc4\x93rM\x80\xa0\xe4\xa4\xfd`Z`\xeb9\t\xf2\x03\x06', 'cipherslen': 36, 'ciphers': [4865, 4866, 4867, 49199, 49195, 49200, 49196, 49191, 52393, 52392, 49161, 49171, 49162, 49172, 156, 157, 47, 53], 'complen': 1, 'comp': [0], 'extlen': 116, 'ext': [, , , , , , ] |>, , ]}
No SNI detected.
TLS Version: TLS 1.2
Cipher Suites: [4865, 4866, 4867, 49199, 49195, 49200, 49196, 49191, 52393, 52392, 49161, 49171, 49162, 49172, 156, 157, 47, 53] Packet Information
- Source IP: 192.168.56.1
- Destination IP: 192.168.56.101
- Port: 443
- TLS Version: TLS 1.0
ClientHello Fields
- msgtype: 1
- msglen: 225
- version: 771
- gmt_unix_time: 3253133420
- random_bytes: b'0@\\x15vw\\xba\\xa3\\x03A\\x0e\\x16\\xd2t\\xa4\\xd9\\x7f\\x86~(\\x1e\\xa5\\x85\\xfa\\x93\\x07\\x83\\x94\\x89'
- sidlen: 32
- sid: b'4\\xbb\\xa2\\x1f\\xa0gy\\xad\\xf4\\x08\\xdd\\xbfw\\xaf\\xc4\\x93rM\\x80\\xa0\\xe4\\xa4\\xfd`Z`\\xeb9\\t\\xf2\\x03\\x06'
- cipherslen: 36
- ciphers: [4865, 4866, 4867, 49199, 49195, 49200, 49196, 49191, 52393, 52392, 49161, 49171, 49162, 49172, 156, 157, 47, 53]
- complen: 1
- comp: [0]
- extlen: 116
- ext:
- ExtendedMasterSecret: Present
- RenegotiationInfo: renegotiated_connection = b''
- SupportedGroups: [x25519, secp256r1, secp384r1]
- SupportedPointFormat: [uncompressed]
- SessionTicket: b''
- SignatureAlgorithms: [sha256+ecdsa, sha256+rsaepss, sha256+rsa, sha384+ecdsa, sha384+rsaepss, sha384+rsa, sha512+rsaepss, sha512+rsa, sha1+rsa]
- KeyShare: x25519
- PSKKeyExchangeModes: psk_dhe_ke
- SupportedVersion: [TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0]
Additional Information
- No SNI Detected
- TLS Version: TLS 1.2
- Cipher Suites: [4865, 4866, 4867, 49199, 49195, 49200, 49196, 49191, 52393, 52392, 49161, 49171, 49162, 49172, 156, 157, 47, 53]