lua:quic
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
lua:quic [2018/12/13 23:35] – [Output of the QUIC analysis] veera | lua:quic [2018/12/13 23:43] – [Explaining the scripts] veera | ||
---|---|---|---|
Line 8: | Line 8: | ||
+ | The QUIC analysis LUA scripts can be found here in the [[https:// | ||
===== Network Security Monitoring for QUIC ===== | ===== Network Security Monitoring for QUIC ===== | ||
In the NSM((Network Security Monitoring involves collecting multiple types of data characterizing network traffic http:// | In the NSM((Network Security Monitoring involves collecting multiple types of data characterizing network traffic http:// | ||
- | We were seeing quite a bit of QUIC traffic to YouTube in one of our probes, so we went ahead and got the PCAPs and started analyzing them using Wireshark and the Google QUIC Crypto document to see what can be extracted. We found the following indicators | + | We were seeing quite a bit of QUIC traffic to YouTube in one of our probes, so we went ahead and got the PCAPs and started analyzing them using Wireshark and the Google QUIC Crypto |
* **Connection ID** - a 64-bit random number that would likely be globally unique identifying the QUIC connection. | * **Connection ID** - a 64-bit random number that would likely be globally unique identifying the QUIC connection. | ||
Line 24: | Line 25: | ||
==== Explaining the scripts ==== | ==== Explaining the scripts ==== | ||
+ | The scripts are on Github at [[https:// | ||
- | - A new protocol_hanlder called | + | - A new [[https:// |
- | - A Trisul simple_counter script that calls for every QUIC packet ( quic-simplecounter.lua ) | + | - A Trisul |
- | - The actual QUIC dissector , which returns a LUA table with all fields filled in ( quic-dissect.lua ) | + | - The actual QUIC dissector , which returns a LUA table with all fields filled in ( '' |
- A QUIC certificate decompressor using LuaJIT FFI into zlib | - A QUIC certificate decompressor using LuaJIT FFI into zlib | ||
- | The quic-dissect.lua script is where the real stuff happens, the rest of the files are plumbing into the Trisul platform. Start from there. | + | The [[https:// |
==== Output of the QUIC analysis ==== | ==== Output of the QUIC analysis ==== |
lua/quic.txt · Last modified: 2024/06/04 16:58 by thiyagu