Merge pull request #194 from netd-tud/feature-quic-tud

QUIC: Extract more QUIC flow details
CESNET · Apr 22, 2024 · d2b7d7d · d2b7d7d
2 parents 4e5681b + 24234d1
commit d2b7d7d
Show file tree

Hide file tree

Showing 8 changed files with 1,653 additions and 266 deletions.
diff --git a/README.md b/README.md
@@ -613,10 +613,27 @@ List of fields exported together with basic flow fields on interface by WG plugi
 ### QUIC
 
 List of fields exported together with basic flow fields on interface by quic plugin.
-
-| Output field       | Type   | Description                     |
-|:------------------:|:------:|:-------------------------------:|
-| QUIC_SNI           | string | Decrypted server name           |
+`-with-quic-ch-full-tls-ext` enables extraction of all TLS extensions in the Client Hello.
+
+|    Output field     |   Type   |                                          Description                                          |
+|:-------------------:|:--------:|:---------------------------------------------------------------------------------------------:|
+|      QUIC_SNI       |  string  |                                     Decrypted server name                                     |
+|   QUIC_USER_AGENT   |  string  |                                     Decrypted user agent                                      |
+|    QUIC_VERSION     |  uint32  |                      QUIC version from first server long header packets                       |
+| QUIC_CLIENT_VERSION |  uint32  |                       QUIC version from first client long header packet                       |
+|  QUIC_TOKEN_LENGTH  |  uint64  |                          Token length from Initial and Retry packets                          |
+|     QUIC_OCCID      |  bytes   |                         Source Connection ID from first client packet                         |
+|     QUIC_OSCID      |  bytes   |                      Destination Connection ID from first client packet                       |
+|      QUIC_SCID      |  bytes   |                         Source Connection ID from first server packet                         |
+|   QUIC_RETRY_SCID   |  bytes   |                            Source Connection ID from Retry packet                             |
+|  QUIC_MULTIPLEXED   |  uint8   |                > 0 if multiplexed (at least two different QUIC_OSCIDs or SNIs)                |
+|    QUIC_ZERO_RTT    |  uint8   |                               Number of 0-RTT packets in flow.                                |
+| QUIC_SERVER_PORT    |  uint16  |                  TODO Server Port determined by packet type and TLS message                   |
+|    QUIC_PACKETS     | uint8\*  |           QUIC long header packet type (v1 encoded), version negotiation, QUIC bit            |
+|   QUIC_CH_PARSED    |  uint8   |                         >0 if TLS Client Hello parsed without errors                          |
+|  QUIC_TLS_EXT_TYPE  | uint16\* |                            TLS extensions in the TLS Client Hello                             |
+|  QUIC_TLS_EXT_LEN   | uint16\* |                                 Length of each TLS extension                                  |
+|    QUIC_TLS_EXT     |  string  | Payload of all/application_layer_protocol_negotiation and quic_transport params TLS extension |
 
 ### ICMP
 

diff --git a/configure.ac b/configure.ac
@@ -159,6 +159,12 @@ if [[ -z "$WITH_QUIC_TRUE" ]]; then
    AC_DEFINE([WITH_QUIC], [1], [Define to 1 if compile with quic plugin])
 fi
 
+AC_ARG_WITH([quic-ch-full-tls-ext],
+       AC_HELP_STRING([--with-quic-ch-full-tls-ext],[Extract all QUIC TLS payloads from the first client hello.]),
+       [
+       CPPFLAGS="$CPPFLAGS -DQUIC_CH_FULL_TLS_EXT"
+       ]
+)
 
 AM_CONDITIONAL(OS_CYGWIN, test x${host_os} = xcygwin)
 
@@ -402,6 +408,8 @@ AC_ARG_WITH([msects],
 )
 
 
+
+
 AM_CONDITIONAL(MAKE_RPMS, test x$RPMBUILD != x)
 
 AM_CONDITIONAL(MAKE_DEB, test x$DEBUILD != x)

diff --git a/include/ipfixprobe/ipfix-elements.hpp b/include/ipfixprobe/ipfix-elements.hpp
@@ -240,6 +240,21 @@ namespace ipxp {
 #define QUIC_SNI(F)                   F(8057,    890,  -1,   nullptr)
 #define QUIC_USER_AGENT(F)            F(8057,    891,  -1,   nullptr)
 #define QUIC_VERSION(F)               F(8057,    892,   4,   nullptr)
+#define QUIC_CLIENT_VERSION(F)        F(8057,    893,   4,   nullptr)
+#define QUIC_TOKEN_LENGTH(F)          F(8057,    894,   8,   nullptr)
+#define QUIC_OCCID(F)                 F(8057,    895,  -1,   nullptr)
+#define QUIC_OSCID(F)                 F(8057,    896,  -1,   nullptr)
+#define QUIC_SCID(F)                  F(8057,    897,  -1,   nullptr)
+#define QUIC_RETRY_SCID(F)            F(8057,    898,  -1,   nullptr)
+#define QUIC_MULTIPLEXED(F)           F(8057,    899,   1,   nullptr)
+#define QUIC_ZERO_RTT(F)              F(8057,    889,   1,   nullptr)
+#define QUIC_SERVER_PORT(F)           F(8057,    887,   2,   nullptr)
+#define QUIC_PACKETS(F)               F(0,       291,  -1,   nullptr) // BASIC LIST -- FIELD IS e8057id888 (uint16*)
+#define QUIC_CH_PARSED(F)             F(8057,    886,   1,   nullptr)
+#define QUIC_TLS_EXT_TYPE(F)          F(0,       291,  -1,   nullptr) // BASIC LIST -- FIELD IS e8057id885 (uint16*)
+#define QUIC_TLS_EXT_LEN(F)           F(0,       291,  -1,   nullptr) // BASIC LIST -- FIELD IS e8057id884 (uint16*)
+#define QUIC_TLS_EXT(F)               F(8057,    883,  -1,   nullptr)
+
 
 #define OSQUERY_PROGRAM_NAME(F)       F(8057,    852,  -1,   nullptr)
 #define OSQUERY_USERNAME(F)           F(8057,    853,  -1,   nullptr)
@@ -496,7 +511,21 @@ namespace ipxp {
 #define IPFIX_QUIC_TEMPLATE(F) \
   F(QUIC_SNI) \
   F(QUIC_USER_AGENT) \
-  F(QUIC_VERSION)
+  F(QUIC_VERSION) \
+  F(QUIC_CLIENT_VERSION) \
+  F(QUIC_TOKEN_LENGTH) \
+  F(QUIC_OCCID) \
+  F(QUIC_OSCID) \
+  F(QUIC_SCID) \
+  F(QUIC_RETRY_SCID) \
+  F(QUIC_MULTIPLEXED) \
+  F(QUIC_ZERO_RTT) \
+  F(QUIC_SERVER_PORT) \
+  F(QUIC_PACKETS) \
+  F(QUIC_CH_PARSED) \
+  F(QUIC_TLS_EXT_TYPE) \
+  F(QUIC_TLS_EXT_LEN) \
+  F(QUIC_TLS_EXT)
 
 #define IPFIX_OSQUERY_TEMPLATE(F) \
    F(OSQUERY_PROGRAM_NAME) \