Hide and Seek on Github 1

(No. 0)  No. 1  No. 2 

One part of the story.

The little PCAP would be an entire book to explore (for non-experts, that is; and even experts will tell you: take out just what matters, away with the rest)!

In the entire 18min 21sec of that original little PCAP, there was even one Tor connection from the Tor "daemon" that's running. Truly to one Tor node, and only downloading miscrodescriptors, nothing seemed to be out-of-ordinary Tor work (but it did cost me studying Tor docs at length to reach to conclusion with some likelyhood of correctness).

Filtered out (at least for now):

$ tshark -r dump_180809_1931_gdO.pcap -Y \
	'!((ip.addr==127.0.0.1))&&(!(ip.addr==SOME.NUM.B.ER)' \
	-w  dump_180809_1931_gdO_noTor.pcap
$ mv -vi dump_180809_1931_gdO_noTor.pcap dump_180809_1931_gdO.pcap

And next is the event with that fault as close as it gets to show.

This is how I cut out the PCAP:

$ editcap -r dump_180809_1931_gdO.pcap dump_180809_1931_gdO_2150-6960.pcap 2150-6960

And, if you're interested, further below is also how I manipulated and cut the video that shows the event to maybe one or two tenth of a second (0.1s-0.2s) precision from same starting time as the cut out PCAP, for better correlation. Further below.

Pls. watch the video from no sooner than after 0:02:00 and compare it (at least for now) with the PCAP in Wireshark, also after some 0:02:00 from start: all those events in the screen are there to be seen in Wireshark at pretty close the same time from start of the PCAP (see below for difficulties in synching screencast and PCAP).

Of course, you need to run Wireshark like this:

$ wireshark -ossl.keylog_file:dump_180809_1931_gdO_2150-6960_SSLKEYLOGFILE.txt \
	dump_180809_1931_gdO_2150-6960.pcap

---

By uncenz:

dump_180809_1931_gdO_2150-6960.pcap

---

What I now suspect the most likely cause of this faulty event is: the new programmers in charge (M$ has recently bought Github) not having yet gained familiarity with how Github should work...

I believe it's not my Pale Moon, not even remotely, to do anything with this fault.

And this part of the story with this PCAP (there is more, but I don't know if I may find the time to analyze any more) tells the probable cause is with the server. I don't suspect that any third parties bear any influence here, as I don't see how they could have caused this, but I am willing to hear if anybody really understands this better.

(My understanding of the inner working of Github web are vague (i.e. by figuring out what the server has/does through its interaction with my browser). The inner setup/working of Github does not show in my cast and CAP. if there had been also Mozilla devel tools employed, there would have been a little more info, but I anyway have no insight into Github servers).

Running scripts from my workPCAPs shows working on Github is now really only Github (i.e. Microsoft, but on the usual Github IPs). It used to be a lot of Google, and/or other big players too.

There's some evidence to that now in No. 2 of this section.

---

So here's approximately how I worked, and by guessing, the exact fractions of seconds, and even (small) number of full seconds (such as when opening a new page with the GET) btwn the click or an Enter to send a GET or a POST and that particual instruction being sent on the web. These are not trivial to find out precisely.

What you see below is not necessarily the actual final numbers, as I re-ran most of those commands, and yet might re-run them for the final result for you on this page --or I might open another one-- but is showing you the principle how to manipulate these casts.

$ i=Screen_180809_1931_gdO
$ ffmpeg -i $i.mkv -map 0:v -b:v 425k -g 5 -c:v \
	libvpx -qmin 0 -qmax 25 -crf 5 ${i}-g5.webm

I worked on the original, but you should likely get good result on the WEBM screencast, which is also complete, posted in the opening page of this section. The "-g 5" is the key. Watching TV programs (and not just local), I occasinally see how even technicians that manipulate and mount videos don't understand what that is and how that "group of pictures" work. But I'll leave you to FFmpeg docs now about that.

Only once the Screen_180809_1931_gdO-g5.webm is done, with all the very frequent key-frames for cutting, can we now cut it with much precision:

ffmpeg -i Screen_180809_1931_gdO-g5.webm -ss 555.9 \
	-c copy -frames 3365 Screen_180809_1931_gdO_2150-6960.webm

which is, in essence (I re-ran it through FFmpeg again to get normal frequency of keyframes, to reduce its size), the video posted on this page.

However, that's 5min 36sec, which is more that I thought (it's not the few dozen seconds altogether as I thought).

For a few reasons.

One is, that anyway, both these cut out video and PCAP are to be perused from no sooner than 0:02:00 (2min) from start.

Because the first two minutes of this cut out (editcap'ed) PCAP do not contain complete streams, and so they can not be decrypted. The first two minutes of this PCAP, namely, contain streams that started earlier, in the non-included part of the original PCAP. Only the streams --most of them (smaller parts of streams still missing because also some have parts in the later non-included part of original PCAP)-- [only the streams] in it after some 0:02:00 from start are decrypted and available for analysis.

WARNING: Familiarity with and use of some Unix-like OS such as GNU/Linux or BSD, (or being able to use Cygwin on Windows but I haven't tested that yet) is required to be able to follow.

Most of the original files of this section are produced with my (primitive) set of scripts:

uncenz.

Notice there are different scripts there, some I use for minimal anonymization of the dumps (dump_perl_repl.sh). Ah, and another could be useful for downloading, instead of of click-downloading each file in a list (dump_dLo.sh). If not downloading uncenz, you can get it directly: https://raw.githubusercontent.com/miroR/uncenz/master/dump_dLo.sh or later version if that looks too old.

It's also available here locally.

For analysis/stream extraction I often use my modest and lacking in good programming practices, but doing what I created them for, scripts:

tshark-hosts-conv

and:

tshark-streams.

as well as:

workPCAPs which can run tshark-streams and tshark-hosts-conv
( and from May 2018 also stream-cont.pl from program

stream-cont )

on (a lot) of PCAP(s) (usually) non-interactively.
NOTE: A better way than my stream-cont, since recently to my writing of it, is in tshark. Pls. see how to extract files taught by a Wireshark core dev.

Readers are advised to try and analyze the traffic dumps for themselves, with the above programs (I also try to offer some educational usefulness to them). There would anyway be too little point posting all the streams and the listings that those would produce. I usually post just the ones among that produce which are crucial for the discussion in question.

And just another one thing: I post lots of command lines and snippets of scripts. Be aware that some of those are in HTML, so before using them, check that they correspond to what the page shows, and of course, report (see the contact page) back to me the typoes and errors if you find any.

The files necessary for this study are listed in:

ls-1

dump_180809_1931_gdO_2150-6960.pcap
Screen_180809_1931_gdO_2150-6960.webm
dump_180809_1931_gdO_2150-6960_SSLKEYLOGFILE.txt

and verify to: ls-1.sum signed by: ls-1.sum.asc