Differences

This shows you the differences between two versions of the page.

--- lua:quic [2018/12/13 23:43] – [Explaining the scripts] veera
+++ lua:quic [2024/06/04 16:58] (current) – [QUIC protocol analysis using the Trisul Scripting API] thiyagu
@@ Line 2: / Line 2: @@
-QUIC (Quick UDP Internet Connection) is a protocol championed by Google to speed up web services by replacing the traditional TCP/HTTP network layer with a new UDP based protocol.  QUIC is almost exclusively used by Google services right now like YouTube, but there is an IETF Internet Draft on it now ((HTTP/3 Internet Draft https://quicwg.org/base-drafts/draft-ietf-quic-http.html)) . The movement is to merge HTTP
+QUIC (Quick UDP Internet Connection) is a protocol championed by Google to speed up web services by replacing the traditional TCP/HTTP network layer with a new UDP based protocol.  QUIC is almost exclusively used by Google services right now like YouTube, but there is an IETF Internet Draft on it now ((HTTP/3 Internet Draft https://datatracker.ietf.org/doc/html/draft-ietf-quic-http-34)) . The movement is to merge HTTP
 semantics on the UDP based QUIC and call the new thing HTTP/3.  As of today the only QUIC services found in the wild are from the Google stable.
 This article describes how you can pull out key indicators from QUIC into Trisul using the [[https://www.trisul.org/docs/lua/index.html|Lua Scripting API]].
+<note>
+**UPDATES**  14-Aug-19   Updated to support QUIC version 46</note>
+<note>
 The QUIC analysis LUA scripts can be found here in the [[https://github.com/trisulnsm/bitmaul/tree/master/examples/quic|BITMAUL/examples/quic]] repo
+</note>
 ===== Network Security Monitoring for QUIC =====
@@ Line 48: / Line 55: @@
 ===== Flow Tags =====
-If you want to pull out all QUIC flows , then go to Tools > Explore Flows > then search for tag=QUIC
+To pull out all QUIC flows go to Tools > Explore Flows > then search for tag=QUIC
+Click to zoom the image, you can see the QUIC flows tagged with QUIC, ConnectionID, Server Name, User-Agent
@@ Line 58: / Line 67: @@
 ===== Extract X.509 Certificate in QUIC =====
-Just as we do for all SSL flows, we pull out the certificates from the server. Found in the REJECT message into Trisul.
+Just as we do for all SSL flows, we pull out the certificates in QUIC from the server. Apparently QUIC also uses a 64-bit cert FLV.1 hash for well known certificate chains (like googles),but we were unable to get our Chrome browser to use them. We always got full certs.
 This took a while for me to get the certificate extraction right due to the following issues.
@@ Line 66: / Line 75: @@
   * the certificate spans multiple UDP packets hence needs some reassembly. Put together a very naive reassembly code in quic-dissect.lua
-This is the result of the extracted certificate.  Go to Resources > SSL Certs > press ENTER or search quic
+Go to Resources > SSL Certs > press ENTER or search //quic//