slitheen/tests/ssl_stats.lua

--------------------------------------------------
-- $Header: /cvs/WIP/datcat-import/crawdad/bin/analysis/trace_stats.lua,v 1.1 2007/04/25 15:18:28 emile Exp $
-- extracts various stats (subset of crl_stats)
-- from a trace file, use like:
-- tshark -q <other opts> -Xlua_script:trace_stats.lua <trace>
-- wireshark/tshark needs to be compiled --with-lua
--------------------------------------------------

do
    ip_addr_extractor = Field.new("ip.addr")
    tcp_src_port_extractor = Field.new("tcp.srcport")
    tcp_dst_port_extractor = Field.new("tcp.dstport")
    tcp_stream_extractor = Field.new("tcp.stream")
    tls_handshake_type_extractor = Field.new("ssl.handshake.type")
    tls_content_type_extractor = Field.new("ssl.record.content_type")
    tls_ccs_extractor = Field.new("ssl.change_cipher_spec")
    icmp_type_extractor = Field.new("icmp.type")

    local function init_listener()
        local tap = Listener.new("ssl")

        local file = assert(io.open("handshake_stats", "w"))
        file:write("stream,time\n")
        file:close()
----------------------
----- stats  functions
----------------------

-- ipv4 counts
        local ipv4_src_cache = {}
        local ipv4_dst_cache = {}
        local ipv4_src_count = 0
        local ipv4_dst_count = 0
        function stats_ipv4_counts(pinfo,tvb)
            local ip_src
            local ip_dst
            ip_src, ip_dst = ip_addr_extractor()
            if ( ip_src ) then 
                if (not ipv4_src_cache[ tostring(ip_src) ] == true ) then
                    ipv4_src_cache[ tostring(ip_src) ] = true 
                    ipv4_src_count = ipv4_src_count + 1
                else
                     -- print("src already recorded")
                end

            else 
                -- print("NO src") 
            end
            if ( ip_dst ) then 
                if (not ipv4_dst_cache[ tostring(ip_dst) ] == true ) then
                    ipv4_dst_cache[ tostring(ip_dst) ] = true 
                    ipv4_dst_count = ipv4_dst_count + 1
                else
                    -- print("dst already recorded")
                end
            else 
                -- print("NO dst") 
            end
        end

-- tcp stream counts
        local tcp_stream_cache = {}
        local tcp_stream_count = 0
        function stats_stream_counts(pinfo,tvb)
            local stream
            local sport, dport, saddr, daddr
            stream = tcp_stream_extractor()
            saddr, daddr = ip_addr_extractor()
            sport = tcp_src_port_extractor()
            dport = tcp_dst_port_extractor()
            
            if ( stream ) then 
                if (not tcp_stream_cache[ tostring(stream) ] == true ) then
                    tcp_stream_cache[ tostring(stream) ] = true 
                    tcp_stream_count = tcp_stream_count + 1
                    print("Stream #" .. tostring(tcp_stream_count) .. " | " .. tostring(saddr) .. ":" .. tostring(sport) .. " > " .. tostring(daddr) .. ":" .. tostring(dport) )
                else
                     -- print("stream already recorded")
                end

            else 
                -- print("NO stream") 
            end
        end


-- ssl stats
        local tls_src_starts = {}
        local tls_ccs_cache = {}
        function stats_tls_handshake(pinfo, tvb)
            local hs_type, rec_type, ccs, stream
            hs_type = tls_handshake_type_extractor()
            ccs = tls_ccs_extractor()
            stream = tcp_stream_extractor()
            if(hs_type) then
                local type_string
                type_string = tostring(hs_type)
                if(type_string == "1") then
                    print("Start time for stream #" .. tostring(stream) .. " is " .. tostring(pinfo.abs_ts))
                    tls_src_starts[ tostring(stream) ] = pinfo.abs_ts
                end

            end
            if(ccs) then
                if (not tls_ccs_cache[ tostring(stream) ] == true ) then
                    tls_ccs_cache[ tostring(stream) ] = true 
                    print("Received 1st CCS for stream #" .. tostring(stream))
                else
                    if( tls_src_starts[ tostring(stream)] ) then
                        -- We have received both CCS and Finished messages
                        local hs_time = pinfo.abs_ts - tls_src_starts[ tostring(stream)] 
                        print("Total handshake time: " .. tostring(hs_time) )
                        local file = assert(io.open("handshake_stats", "a"))
                        file:write(tostring(stream) .. "," .. tostring(hs_time) .. "\n")
                        file:close()

                    end
                end
            end
            

                
        end

-- start/end times
        local start_time
        local end_time
        function stats_start_end_times(pinfo)
            if (not start_time) then
                start_time =  pinfo.abs_ts
                end_time  =  pinfo.abs_ts
            else
                if ( start_time > pinfo.abs_ts ) then start_time = pinfo.abs_ts end
                if ( end_time < pinfo.abs_ts  ) then end_time = pinfo.abs_ts end
            end
        end

-------------------
----- tap functions
-------------------
        function tap.reset()
        end

        function tap.packet(pinfo,tvb,ip)
            stats_ipv4_counts(pinfo,tvb)
            stats_stream_counts(pinfo,tvb)
            stats_start_end_times(pinfo)
            stats_tls_handshake(pinfo, tvb)
        end

        function tap.draw()
            print("=== extra stats ===================================================")
            print("start_time: " .. start_time )
            print("end_time: " .. end_time )
            print("ipv4_src_address_count: " .. ipv4_src_count ) 
            print("ipv4_dst_address_count: " .. ipv4_dst_count )
            print("tcp_stream_count: " .. tcp_stream_count )
            print("===================================================================")
        end
    end

    init_listener()
end