grsec-unoff RAP related Call Traces 2018-01-01-1917
issue #17 at grsecunoff which I managed to post right after making the PCAP available here...
The Call Trace, along with lots of (important and not) context is there, safe enough on Github, well, for the time being and a while longer at least...
However, the SSLKEYLOGFILE excerpt: pg180101-1917/dump_180101_1917_gdO_SSLKEYLOGFILE.txt is also needed.
And for even devs who're not in the network business whatsoever, my tools could be somewhat useful:
WARNING: Familiarity with and use of some Unix-like OS such as GNU/Linux or BSD, (or being able to use Cygwin on Windows but I haven't tested that yet) is required to be able to follow.
Most of the original files of this section are produced with my (primitive) set of scripts:
Notice there are different scripts there, some I use for minimal anonymization of the dumps (dump_perl_repl.sh). Ah, and another could be useful for downloading, instead of of click-downloading each file in a list (dump_dLo.sh). If not downloading uncenz, you can get it directly: https://raw.githubusercontent.com/miroR/uncenz/master/dump_dLo.sh or later version if that looks too old.
It's also available here locally.
For analysis/stream extraction I often use my modest and lacking in good programming practices, but doing what I created them for, scripts:
as well as:
workPCAPs which can run tshark-streams and tshark-hosts-conv
( and from May 2018 also stream-cont.pl from program
on (a lot) of PCAP(s) (usually) non-interactively.
NOTE: A better way than my stream-cont, since recently to my writing of it, is in tshark. Pls. see how to extract files taught by a Wireshark core dev.
Readers are advised to try and analyze the traffic dumps for themselves, with the above programs (I also try to offer some educational usefulness to them). There would anyway be too little point posting all the streams and the listings that those would produce. I usually post just the ones among that produce which are crucial for the discussion in question.
And just another one thing: I post lots of command lines and snippets of scripts. Be aware that some of those are in HTML, so before using them, check that they correspond to what the page shows, and of course, report (see the contact page) back to me the typoes and errors if you find any.
WARNING: don't analyze this PCAP on a machine you can't afford to hurt if you later wouldn't be able to recover. It might contain malicious code:
(better safe than sorry...)
The files necessary for this study are listed in:
pg180101-1917/dump_180101_1917_gdO.pcap pg180101-1917/dump_180101_1917_gdO_SSLKEYLOGFILE.txt pg180101-1917/PCAPs-work-180101-2132-manu.log pg180101-1917/PCAPs-work-180101-2132-manu_R.log pg180101-1917/PCAPs-work.shand verify to: ls-1pg180101-1917.sum signed by: ls-1pg180101-1917.sum.asc