Fix JA3 & Add offline pcap (#9)

LeeBrotherston · Nov 13, 2024 · aa4804b · aa4804b
1 parent e9e6953
commit aa4804b
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 11 deletions.
diff --git a/example/example.go b/example/example.go
@@ -22,18 +22,36 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
+	"os"
 
 	"github.com/LeeBrotherston/dactyloscopy"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/pcap"
 )
 
-func doSniff(device string) error {
-	// Open device
-	// the 0 and true refer to snaplen and promisc mode.  For now we always want these.
-	handle, err := pcap.OpenLive(device, 0, true, pcap.BlockForever)
-	if err != nil {
-		return err
+func doSniff(device string, file string) error {
+	var (
+		handle *pcap.Handle
+		err    error
+	)
+	if len(file) > 0 {
+		pcapFile, err := os.Open(file)
+		if err != nil {
+			return err
+		}
+		handle, err = pcap.OpenOfflineFile(pcapFile)
+		if err != nil {
+			return err
+		}
+	} else if len(device) > 0 {
+		// Open device
+		// the 0 and true refer to snaplen and promisc mode.  For now we always want these.
+		handle, err = pcap.OpenLive(device, 0, true, pcap.BlockForever)
+		if err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("need a file or interface")
 	}
 	// Yes yes, I know... But offsetting this to the kernel *drastically* reduces processing time
 	err = handle.SetBPFFilter("(tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) or (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) or ((udp[14] = 6 and udp[16] = 32 and udp[17] = 1) and ((udp[(udp[60]/16*4)+48]=22) and (udp[(udp[60]/16*4)+53]=1) and (udp[(udp[60]/16*4)+57]=3) and (udp[(udp[60]/16*4)+49]=3))) or (proto 41 and ip[26] = 6 and ip[(ip[72]/16*4)+60]=22 and (ip[(ip[72]/16*4+5)+60]=1) and (ip[(ip[72]/16*4+9)+60]=3) and (ip[(ip[72]/16*4+1)+60]=3))")
@@ -65,7 +83,8 @@ func doSniff(device string) error {
 
 func main() {
 	intStr := flag.String("i", "en0", "interface to sniff")
+	file := flag.String("f", "", "pcap file")
 	flag.Parse()
 
-	doSniff(*intStr)
+	doSniff(*intStr, *file)
 }
diff --git a/tlsFingerprint.go b/tlsFingerprint.go
@@ -210,7 +210,14 @@ func (f *Fingerprint) addExtList() error {
 		}
 	}
 
-	f.JA3, err = hashMD5(fmt.Sprintf("%d,%s,%s,%s,%s", f.TLSVersion, sliceToDash16(f.Ciphersuite), sliceToDash16(f.Extensions), sliceToDash16(f.ECurves), sliceToDash8(f.EcPointFmt)))
+	// The official JA3 libraries seem to use 0 when EcPointFmt is empty instead
+	// of leaving the field blank, so we will do this to remain compatible
+	if len(f.EcPointFmt) == 0 {
+		f.EcPointFmt = append(f.EcPointFmt, 0)
+	}
+	unhashed := fmt.Sprintf("%d,%s,%s,%s,%s", f.TLSVersion, sliceToDash16(f.Ciphersuite), sliceToDash16(f.Extensions), sliceToDash16(f.ECurves), sliceToDash8(f.EcPointFmt))
+	fmt.Printf("thing: %s\n", unhashed)
+	f.JA3, err = hashMD5(unhashed)
 	if err != nil {
 		return err
 	}

diff --git a/types.go b/types.go
@@ -20,6 +20,3 @@ type Fingerprint struct {
 	rawSuites         cryptobyte.String
 	rawExtensions     cryptobyte.String
 }
-
-type clientHello struct {
-}