在libpcap中提取客戶端Hello和SNI

Question

我在c中使用libpcap庫來解析pcap文件。我試圖提取TCP客戶端hello，然後檢查服務器名稱指示以匹配給定的服務器。我可以這樣做嗎？如果是的話，有人能告訴我如何？謝謝

Answer 1

這是一個C++代碼片段，可以使用PcapPlusPlus庫來實現。此代碼假定您正在從pcap文件中讀取數據包，但從實時界面讀取時可以實現相同：

// create a pcap file reader instance 
pcpp::IFileReaderDevice* reader = pcpp::IFileReaderDevice::getReader("my_ssl_packets.pcap"); 

// open the reader for reading 
reader->open(); 

// read the first (and only) packet from the file 
pcpp::RawPacket rawPacket; 
while (reader->getNextPacket(rawPacket) != NULL) 
{ 
    // parse the packet 
    pcpp::Packet sslParsedPacket(&rawPacket); 

    // check if this is a SSL packet 
    if (!sslParsedPacket.isPacketOfType(pcpp::SSL)) 
     continue; 

    // check if this is a SSL handshake packet 
    pcpp::SSLHandshakeLayer* sslHandshakeLayer = sslPacket->getLayerOfType<pcpp::SSLHandshakeLayer>(); 
    if (sslHandshakeLayer == NULL) 
     continue; 

    // check if this is a client-hello message 
    pcpp::SSLClientHelloMessage* clientHelloMessage = sslHandshakeLayer->getHandshakeMessageOfType<pcpp::SSLClientHelloMessage>(); 
    if (clientHelloMessage == NULL) 
     continue; 

    // extract the Server Name Indication from the client-hello message 
    pcpp::SSLServerNameIndicationExtension* sniExtension = clientHelloMessage->getExtensionOfType<pcpp::SSLServerNameIndicationExtension>(); 
    if (sniExtension != NULL) 
     printf("Server Name Indication is: %s\n", sniExtension->getHostName().c_str()); 
} 

// close the file reader 
reader->close(); 
delete reader;