https://github.com/petermosmans/tls-protocol-analyzer

Passive SSL/TLS protocol analyzer, to show information about SSL/TLS handshakes, ciphers, extensions and connections
https://github.com/petermosmans/tls-protocol-analyzer

Last synced: about 1 year ago
JSON representation

Passive SSL/TLS protocol analyzer, to show information about SSL/TLS handshakes, ciphers, extensions and connections

• Host: GitHub
• URL: https://github.com/petermosmans/tls-protocol-analyzer
• Owner: PeterMosmans
• License: gpl-3.0
• Created: 2015-09-25T11:44:44.000Z (over 10 years ago)
• Default Branch: master
• Last Pushed: 2018-10-12T02:44:35.000Z (over 7 years ago)
• Last Synced: 2025-03-24T18:21:32.813Z (about 1 year ago)
• Language: Python
• Size: 39.1 KB
• Stars: 12
• Watchers: 5
• Forks: 7
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# SSL/TLS Protocol Analyzer

Passively listens on interface and shows information about SSL/TLS connections.

Yes, scapy does something similar (and much, much more), but you'll need several dependencies. Getting scapy to run on Windows for example can be quite a hassle.

This script 'only' depends on dpkt, and pypcap if you want to sniff live traffic.

Please note that you need correct permissions to sniff traffic (root or Administrator privileges).

Dependencies

------------

+ dpkt

+ pypcap

Optional (to show IP addresses per interface):

+ netifaces

Installation

------------

```pip install -r requirements.txt```

Note that this also installs netifaces

Usage

----

```

./tpa.py

```

Listens on default interface eth0 and shows information about SSL/TLS handshakes. Currently only the Client Hello parser is implemented, so that's the information that will be displayed.

```

./tpa.py -i eth3

```

Listens on interface eth3

When running on Linux environments (including Cygwin, MSYS and MSYS2 under Windows), you can specify the standard name (e.g. `eth1`) for the interface.

When running native on Windows you need to specify the extremely unfriendly looking device name, e.g. `\\DEVICE\NPF_{C0FFEE-15-G00D}`

Note that you can retrieve a list of these device names using the `--list-interfaces` option

```

./tpa.py -r PCAPFILE

```

Reads a pcap file and displays information about SSL/TLS connections.

```

./tpa.py --list-interfaces

```

Lists all available interfaces with their IP addresses 

Example output

--------------

```

[+] Client Hello detected (172.1.2.3:31337 --> 192.30.252.131:443)

[*] Ciphers:

    0xc02b - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    0xc02f - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    0xc00a - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

    0xc009 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

    0xc013 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

    0xc014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

    0x33   - TLS_DHE_RSA_WITH_AES_128_CBC_SHA

    0x39   - TLS_DHE_RSA_WITH_AES_256_CBC_SHA

    0x2f   - TLS_RSA_WITH_AES_128_CBC_SHA

    0x35   - TLS_RSA_WITH_AES_256_CBC_SHA

    0xa    - TLS_RSA_WITH_3DES_EDE_CBC_SHA

[*] Compression methods:

         0 - null

[*] Extensions:

         0 - server_name (Length: 15)

             github.com (Type host name)

     65281 - renegotiation_info (Length: 1)

        10 - supported_groups (Length: 8)

        11 - ec_point_formats (Length: 2)

        35 - SessionTicket TLS (Length: 0)

     13172 - next_protocol_negotiation (Length: 0)

        16 - application_layer_protocol_negotiation (Length: 23)

             h2

             spdy/3.1

             http/1.1

         5 - status_request (Length: 5)

        13 - signature_algorithms (Length: 22)

```