0

I am using trying to use pyshark to extract the SNI information from TLS handshake frame in the quic packets captured and stored in pcap format using wireshark.

In Wireshark, I am able to see the decrypted information of all the frames in the initial packet. And that's the expectation too.

In pyshark, I am not able to do the same. Pyshark seems to only provide information of the first frame in the initial packet.

Is there any way to look through all the frames of the QUIC packet.

Pyshark code used

def snie_quic_one(pcap_file, index):
    import pyshark

    pcap_data = pyshark.FileCapture(pcap_file)
    packet = pcap_data[index]
    
    if 'quic' in packet:
        print(packet.quic.frame)
        print(packet.quic.tls_handshake)
    else:
        print("No QUIC packet found")



if __name__ == '__main__':
   pcap_file = './cap2.pcapng'
   snie_quic_one(pcap_file, 12)

Gives output:

PADDING Length: 2
Handshake Protocol: Encrypted Handshake Message (fragment)

Same packet in Wireshark. SNI Information available. See screeshot below.

This image shows that the output of frame in pyshark is the first frame of the packet. Padding Image

This image shows that SNI information is available in a Crypto frame in the same packet. SNI

My expectation is simple, when given a packet, I must be able to obtain the SNI information using a python script. Suggestions on how to proceed is highly welcome.

Edit:

The operating system I would like the run the script on is Ubuntu 22.04

hari19
  • 95
  • 8
  • I didn't exactly try your code, but a similar one. It works when using Windows Operating system, when switched to Ubuntu 22.04, it doesn't give the same output. Many fields of the initial packet are unreadable by tshark. My guess it tshark for debian needs an update. – hari19 May 03 '23 at 14:15
  • Both have the latest available tshark, 4.0.5 on windows and 3.6.2 on Ubuntu. Also, wireshark on windows required NpCap to be installed. – hari19 May 03 '23 at 14:47

0 Answers0