Example on how to easily decode QUIC SNI field

Question

Example on how to easily decode QUIC SNI field

Opened this issue 3 years ago · 1 comments

m-peko commented 3 years ago

Hi there,

my use case is the following:

I get the packet bytes from the network or PCAP file
I would like to extract SNI field related to that specific session that the packet belongs to
session management is done by my side

Is it possible? How would the example look like?

Thanks and regards

Answer 1 · 2023-09-05T00:46:43.000Z

from scapy.all import *
from scapy.layers import tls

Replace these values with your actual session identification criteria

source_ip = "source_ip"
source_port = 12345
destination_ip = "destination_ip"
destination_port = 443

def extract_sni(packet):
if packet.haslayer(tls.TLSClientHello):
client_hello = packet[tls.TLSClientHello]
for ext_type, ext_data in client_hello.extensions:
if ext_type == tls.TLSExtensionType.SERVER_NAME:
sni_info = tls.TLSServerName.parse(ext_data)
return sni_info[0].data.decode("utf-8")
return None

def process_packet(packet):
if IP in packet and TCP in packet:
if (
packet[IP].src == source_ip
and packet[TCP].sport == source_port
and packet[IP].dst == destination_ip
and packet[TCP].dport == destination_port
):
sni = extract_sni(packet)
if sni:
print(f"Session: {source_ip}:{source_port} -> {destination_ip}:{destination_port}")
print(f"SNI: {sni}")
print("=====================================")

pcap_file = "path_to_your_pcap_file.pcap"
packets = rdpcap(pcap_file)

for packet in packets:
process_packet(packet)