在libpcap中提取客户端Hello和SNI

Question

我在c中使用libpcap库来解析pcap文件。我试图提取TCP客户端hello，然后检查服务器名称指示以匹配给定的服务器。我可以这样做吗？如果是的话，有人能告诉我如何？谢谢

Answer 1

这是一个C++代码片段，可以使用PcapPlusPlus库来实现。此代码假定您正在从pcap文件中读取数据包，但从实时界面读取时可以实现相同：

// create a pcap file reader instance 
pcpp::IFileReaderDevice* reader = pcpp::IFileReaderDevice::getReader("my_ssl_packets.pcap"); 

// open the reader for reading 
reader->open(); 

// read the first (and only) packet from the file 
pcpp::RawPacket rawPacket; 
while (reader->getNextPacket(rawPacket) != NULL) 
{ 
    // parse the packet 
    pcpp::Packet sslParsedPacket(&rawPacket); 

    // check if this is a SSL packet 
    if (!sslParsedPacket.isPacketOfType(pcpp::SSL)) 
     continue; 

    // check if this is a SSL handshake packet 
    pcpp::SSLHandshakeLayer* sslHandshakeLayer = sslPacket->getLayerOfType<pcpp::SSLHandshakeLayer>(); 
    if (sslHandshakeLayer == NULL) 
     continue; 

    // check if this is a client-hello message 
    pcpp::SSLClientHelloMessage* clientHelloMessage = sslHandshakeLayer->getHandshakeMessageOfType<pcpp::SSLClientHelloMessage>(); 
    if (clientHelloMessage == NULL) 
     continue; 

    // extract the Server Name Indication from the client-hello message 
    pcpp::SSLServerNameIndicationExtension* sniExtension = clientHelloMessage->getExtensionOfType<pcpp::SSLServerNameIndicationExtension>(); 
    if (sniExtension != NULL) 
     printf("Server Name Indication is: %s\n", sniExtension->getHostName().c_str()); 
} 

// close the file reader 
reader->close(); 
delete reader;