lua:quic
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| lua:quic [2018/12/13 23:32] – [Comparison to Bro/Zeek] veera | lua:quic [2024/06/04 16:58] (current) – [QUIC protocol analysis using the Trisul Scripting API] thiyagu | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| - | QUIC (Quick UDP Internet Connection) is a protocol championed by Google to speed up web services by replacing the traditional TCP/HTTP network layer with a new UDP based protocol. | + | QUIC (Quick UDP Internet Connection) is a protocol championed by Google to speed up web services by replacing the traditional TCP/HTTP network layer with a new UDP based protocol. |
| semantics on the UDP based QUIC and call the new thing HTTP/ | semantics on the UDP based QUIC and call the new thing HTTP/ | ||
| This article describes how you can pull out key indicators from QUIC into Trisul using the [[https:// | This article describes how you can pull out key indicators from QUIC into Trisul using the [[https:// | ||
| + | |||
| + | < | ||
| + | **UPDATES** | ||
| + | < | ||
| + | |||
| + | |||
| + | The QUIC analysis LUA scripts can be found here in the [[https:// | ||
| + | </ | ||
| Line 12: | Line 20: | ||
| In the NSM((Network Security Monitoring involves collecting multiple types of data characterizing network traffic http:// | In the NSM((Network Security Monitoring involves collecting multiple types of data characterizing network traffic http:// | ||
| - | We were seeing quite a bit of QUIC traffic to YouTube in one of our probes, so we went ahead and got the PCAPs and started analyzing them using Wireshark and the Google QUIC Crypto document to see what can be extracted. We found the following indicators | + | We were seeing quite a bit of QUIC traffic to YouTube in one of our probes, so we went ahead and got the PCAPs and started analyzing them using Wireshark and the Google QUIC Crypto |
| * **Connection ID** - a 64-bit random number that would likely be globally unique identifying the QUIC connection. | * **Connection ID** - a 64-bit random number that would likely be globally unique identifying the QUIC connection. | ||
| Line 24: | Line 32: | ||
| ==== Explaining the scripts ==== | ==== Explaining the scripts ==== | ||
| + | The scripts are on Github at [[https:// | ||
| - | - A new protocol_hanlder called | + | - A new [[https:// |
| - | - A Trisul simple_counter script that calls for every QUIC packet ( quic-simplecounter.lua ) | + | - A Trisul |
| - | - The actual QUIC dissector , which returns a LUA table with all fields filled in ( quic-dissect.lua ) | + | - The actual QUIC dissector , which returns a LUA table with all fields filled in ( '' |
| - A QUIC certificate decompressor using LuaJIT FFI into zlib | - A QUIC certificate decompressor using LuaJIT FFI into zlib | ||
| - | The quic-dissect.lua script is where the real stuff happens, the rest of the files are plumbing into the Trisul platform. Start from there. | + | The [[https:// |
| + | |||
| + | ==== Output of the QUIC analysis ==== | ||
| - | What is the output of the QUIC analysis | ||
| The goal of all Trisul scripts is to add some piece of information into the streaming analysis. What we do in quic-simplecounter.lua is. | The goal of all Trisul scripts is to add some piece of information into the streaming analysis. What we do in quic-simplecounter.lua is. | ||
| Line 42: | Line 52: | ||
| - | This is how the outputs look like. Using the TRP API you can access these programatically too. | + | This is how the outputs look like. |
| ===== Flow Tags ===== | ===== Flow Tags ===== | ||
| - | If you want to pull out all QUIC flows , then go to Tools > Explore Flows > then search for tag=QUIC | + | To pull out all QUIC flows go to Tools > Explore Flows > then search for tag=QUIC |
| + | |||
| + | Click to zoom the image, you can see the QUIC flows tagged with QUIC, ConnectionID, | ||
| Line 56: | Line 67: | ||
| ===== Extract X.509 Certificate in QUIC ===== | ===== Extract X.509 Certificate in QUIC ===== | ||
| - | Just as we do for all SSL flows, we pull out the certificates from the server. | + | Just as we do for all SSL flows, we pull out the certificates |
| This took a while for me to get the certificate extraction right due to the following issues. | This took a while for me to get the certificate extraction right due to the following issues. | ||
| Line 64: | Line 75: | ||
| * the certificate spans multiple UDP packets hence needs some reassembly. Put together a very naive reassembly code in quic-dissect.lua | * the certificate spans multiple UDP packets hence needs some reassembly. Put together a very naive reassembly code in quic-dissect.lua | ||
| - | This is the result of the extracted certificate. | + | |
| + | Go to Resources > SSL Certs > press ENTER or search | ||
| Line 74: | Line 86: | ||
| - | ====== Conclusion | + | ===== Conclusion ===== |
| The goal here is to show the power of the Trisul scripting API rather than a production grade QUIC analyzer. | The goal here is to show the power of the Trisul scripting API rather than a production grade QUIC analyzer. | ||
| Line 80: | Line 92: | ||
| While the script is working fine in our test environment but putting into production would need some extra work. Particularly when QUIC is used for HD streaming, we need a more efficient way to shunt the stream after the initial handshake otherwise we enter the C->Lua interface for every UDP packet. | While the script is working fine in our test environment but putting into production would need some extra work. Particularly when QUIC is used for HD streaming, we need a more efficient way to shunt the stream after the initial handshake otherwise we enter the C->Lua interface for every UDP packet. | ||
| + | |||
| + | Head over to the Github page for the [[https:// | ||
lua/quic.1544724159.txt.gz · Last modified: 2018/12/13 23:32 by veera