SRLT vs SPLT

[dimk1]

Hello,

this might not be an issue actually, but in the json files I see the srlt value, which I can't correlate as an acronym or terminology to the documentation. Is this simply a typo for SPLT?

thanks

[bhudson33]

There is a SRLT terminology in the context of TLS. Where are you seeing the SRLT? Can you provide the options you are using with JOY and the output where you see SRLT?

[dimk1]

Thanks for your reply. Here is one entry in my json file. There are several of those in one tracer I'm collecting for a TLS dialogue
"srlt":[{"b":165,"dir":">","ipt":0,"tp":22,"hs_types":[1],"hs_lens":[161]},{"b":89,"dir":"<","ipt":154,"tp":22,"hs_types":[2],"hs_lens":[85]},{"b":2360,"dir":"<","ipt":0,"tp":22,"hs_types":[11],"hs_lens":[2356]},{"b":331,"dir":"<","ipt":0,"tp":22,"hs_types":[12],"hs_lens":[327]},{"b":4,"dir":"<","ipt":0,"tp":22},{"b":70,"dir":">","ipt":11,"tp":22,"hs_types":[16],"hs_lens":[66]},{"b":1,"dir":">","ipt":0,"tp":20},{"b":48,"dir":">","ipt":0,"tp":22},{"b":1,"dir":"<","ipt":136,"tp":20},{"b":48,"dir":"<","ipt":0,"tp":22},{"b":464,"dir":">","ipt":4,"tp":23},{"b":32,"dir":"<","ipt":144,"tp":23},{"b":224,"dir":"<","ipt":0,"tp":23},{"b":32,"dir":"<","ipt":0,"tp":23},{"b":496,"dir":"<","ipt":0,"tp":23}]

What does SRLT stand for?

[bhudson33]

ok, yeah this is for the TLS interleaved packet lengths and time. You can see this in tls.c in function len_time_print_interleaved_tls. This is not a typo.

[dimk1]

Not an expert here. So can I assume this offers the same sort of information as SPLT does but tailored for the TLS negotiation only?

[banderson84]

Hi, SRLT = Sequence of Record Lengths and Times. For TLS, SPLT will have an entry for each TCP data packet, and SRLT will have an entry for each TLS record. A simple example is the TLS certificate. If the certificate record had length ~4,000, there would be a single entry in the SRLT array with length 4,000, but 3-4 SPLT entries (assuming the TCP MSS is ~1200-1400).

Another interesting example is TLS applications that send several small application_data records in a single TCP packet. SPLT would only report a single data point, but SRLT would have have an entry for each record.

SPLT is obviously more generic, and it is also more efficient. SRLT does a better job at capturing how TLS applications send data.

[dimk1]

Just to add some new info to the discussion, the way I call joy is via
joy tls=1 retrans=0 num_pkts=%s bidir=1 log=%s.log verbosity=2 dist=1 %s.pcap | gunzip > %s.json

so I don't set the flag splt=1 which I saw in the documentation. I was unable however to find info on the differences between SRLT and SPLT. Can someone please point to some source?

[davidmcgrew]

There is a hole in the documentation where the TLS output should be. That’s my bad, I somehow missed the tls object when doing the documentation for the 2.0 release. The SRLT documentation should look something like this: "srlt": [ # Sequence of TLS Record Lengths, Types, and Times { "hs_types": [ # handshake types appearing in this record (see https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-7) 1 ], "b": 512, # number of bytes of data in record "hs_lens": [ # length of handshake in bytes 508 ], "tp": 22, # record content type (see https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5) "ipt": 0, # number of milliseconds since last record "dir": “>” # direction }, best David From: dimk1 <notifications@github.com<mailto:notifications@github.com>> Reply-To: cisco/joy <reply@reply.github.com<mailto:reply@reply.github.com>> Date: Tuesday, September 11, 2018 at 6:08 AM To: cisco/joy <joy@noreply.github.com<mailto:joy@noreply.github.com>> Cc: Subscribed <subscribed@noreply.github.com<mailto:subscribed@noreply.github.com>> Subject: Re: [cisco/joy] SRLT vs SPLT (#200) Just to add some new info to the discussion, the way I call joy is via joy tls=1 retrans=0 num_pkts=%s bidir=1 log=%s.log verbosity=2 dist=1 %s.pcap | gunzip > %s.json so I don't set the flag splt=1 which I saw in the documentation. I was unable however to find info on the differences between SRLT and SPLT. Can someone please point to some source? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#200 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AD0LLysC9S9tRWfVSfrTx97ytuQiFZYaks5uZ4uNgaJpZM4WepxC>.

[dimk1]

There is a hole in the documentation where the TLS output should be. That’s my bad, I somehow missed the tls object when doing the documentation for the 2.0 release. The SRLT documentation should look something like this: "srlt": [ # Sequence of TLS Record Lengths, Types, and Times { "hs_types": [ # handshake types appearing in this record (see https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-7) 1 ], "b": 512, # number of bytes of data in record "hs_lens": [ # length of handshake in bytes 508 ], "tp": 22, # record content type (see https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5) "ipt": 0, # number of milliseconds since last record "dir": “>” # direction }, best David From: dimk1 <notifications@github.commailto:notifications@github.com> Reply-To: cisco/joy <reply@reply.github.commailto:reply@reply.github.com> Date: Tuesday, September 11, 2018 at 6:08 AM To: cisco/joy <joy@noreply.github.commailto:joy@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.commailto:subscribed@noreply.github.com> Subject: Re: [cisco/joy] SRLT vs SPLT (#200) Just to add some new info to the discussion, the way I call joy is via joy tls=1 retrans=0 num_pkts=%s bidir=1 log=%s.log verbosity=2 dist=1 %s.pcap | gunzip > %s.json so I don't set the flag splt=1 which I saw in the documentation. I was unable however to find info on the differences between SRLT and SPLT. Can someone please point to some source? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#200 (comment)>, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AD0LLysC9S9tRWfVSfrTx97ytuQiFZYaks5uZ4uNgaJpZM4WepxC.

Thanks David. Do you know where the parameter tls_c_exts_kind refer to? Are you planning for an updated documentation where the reported tls features are explained in detail?

[davidmcgrew]

Hi, tls{c_extensions[{kind}]} is the “kind” element of the TLS extension in the client hello. I’m not sure what tls_c_exts_kind is; perhaps it is from an older version of joy? David From: dimk1 <notifications@github.com<mailto:notifications@github.com>> Reply-To: cisco/joy <reply@reply.github.com<mailto:reply@reply.github.com>> Date: Thursday, September 13, 2018 at 4:13 AM To: cisco/joy <joy@noreply.github.com<mailto:joy@noreply.github.com>> Cc: mcgrew <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>, Comment <comment@noreply.github.com<mailto:comment@noreply.github.com>> Subject: Re: [cisco/joy] SRLT vs SPLT (#200) Thanks David. Do you know where the parameter tls_c_exts_kind refer to? Are you planning for an updated documentation where the reported tls features are explained in detail? — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#200 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AD0LL0Qp86nveZLpukjDSVa09YSuHQF4ks5uahO-gaJpZM4WepxC>.

[fliphil]

Hello,

The "kind" key is present when the extension is not found in the IANA registry:
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1
As the program looks through all of the each extension, it tries to find a human-readable string corresponding to that extension. If no such string is found, then the value for "kind" is the 2-byte hex string representing the "value" (see the IANA link above).
The following "data" key/value holds the actual data for that extension (possibly empty).

Hope that helps,
Philip