Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SRLT vs SPLT #200

Closed
dimk1 opened this issue Sep 7, 2018 · 10 comments

Comments

Projects
None yet
5 participants
@dimk1
Copy link

commented Sep 7, 2018

Hello,

this might not be an issue actually, but in the json files I see the srlt value, which I can't correlate as an acronym or terminology to the documentation. Is this simply a typo for SPLT?

thanks

@bhudson33

This comment has been minimized.

Copy link
Contributor

commented Sep 7, 2018

There is a SRLT terminology in the context of TLS. Where are you seeing the SRLT? Can you provide the options you are using with JOY and the output where you see SRLT?

@dimk1

This comment has been minimized.

Copy link
Author

commented Sep 7, 2018

Thanks for your reply. Here is one entry in my json file. There are several of those in one tracer I'm collecting for a TLS dialogue
"srlt":[{"b":165,"dir":">","ipt":0,"tp":22,"hs_types":[1],"hs_lens":[161]},{"b":89,"dir":"<","ipt":154,"tp":22,"hs_types":[2],"hs_lens":[85]},{"b":2360,"dir":"<","ipt":0,"tp":22,"hs_types":[11],"hs_lens":[2356]},{"b":331,"dir":"<","ipt":0,"tp":22,"hs_types":[12],"hs_lens":[327]},{"b":4,"dir":"<","ipt":0,"tp":22},{"b":70,"dir":">","ipt":11,"tp":22,"hs_types":[16],"hs_lens":[66]},{"b":1,"dir":">","ipt":0,"tp":20},{"b":48,"dir":">","ipt":0,"tp":22},{"b":1,"dir":"<","ipt":136,"tp":20},{"b":48,"dir":"<","ipt":0,"tp":22},{"b":464,"dir":">","ipt":4,"tp":23},{"b":32,"dir":"<","ipt":144,"tp":23},{"b":224,"dir":"<","ipt":0,"tp":23},{"b":32,"dir":"<","ipt":0,"tp":23},{"b":496,"dir":"<","ipt":0,"tp":23}]

What does SRLT stand for?

@bhudson33

This comment has been minimized.

Copy link
Contributor

commented Sep 7, 2018

ok, yeah this is for the TLS interleaved packet lengths and time. You can see this in tls.c in function len_time_print_interleaved_tls. This is not a typo.

@bhudson33 bhudson33 closed this Sep 7, 2018

@dimk1

This comment has been minimized.

Copy link
Author

commented Sep 7, 2018

Not an expert here. So can I assume this offers the same sort of information as SPLT does but tailored for the TLS negotiation only?

@banderson84

This comment has been minimized.

Copy link
Contributor

commented Sep 7, 2018

Hi, SRLT = Sequence of Record Lengths and Times. For TLS, SPLT will have an entry for each TCP data packet, and SRLT will have an entry for each TLS record. A simple example is the TLS certificate. If the certificate record had length ~4,000, there would be a single entry in the SRLT array with length 4,000, but 3-4 SPLT entries (assuming the TCP MSS is ~1200-1400).

Another interesting example is TLS applications that send several small application_data records in a single TCP packet. SPLT would only report a single data point, but SRLT would have have an entry for each record.

SPLT is obviously more generic, and it is also more efficient. SRLT does a better job at capturing how TLS applications send data.

@dimk1

This comment has been minimized.

Copy link
Author

commented Sep 11, 2018

Just to add some new info to the discussion, the way I call joy is via
joy tls=1 retrans=0 num_pkts=%s bidir=1 log=%s.log verbosity=2 dist=1 %s.pcap | gunzip > %s.json

so I don't set the flag splt=1 which I saw in the documentation. I was unable however to find info on the differences between SRLT and SPLT. Can someone please point to some source?

@davidmcgrew

This comment has been minimized.

Copy link
Contributor

commented Sep 11, 2018

@dimk1

This comment has been minimized.

Copy link
Author

commented Sep 13, 2018

There is a hole in the documentation where the TLS output should be. That’s my bad, I somehow missed the tls object when doing the documentation for the 2.0 release. The SRLT documentation should look something like this: "srlt": [ # Sequence of TLS Record Lengths, Types, and Times { "hs_types": [ # handshake types appearing in this record (see https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-7) 1 ], "b": 512, # number of bytes of data in record "hs_lens": [ # length of handshake in bytes 508 ], "tp": 22, # record content type (see https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5) "ipt": 0, # number of milliseconds since last record "dir": “>” # direction }, best David From: dimk1 <notifications@github.commailto:notifications@github.com> Reply-To: cisco/joy <reply@reply.github.commailto:reply@reply.github.com> Date: Tuesday, September 11, 2018 at 6:08 AM To: cisco/joy <joy@noreply.github.commailto:joy@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.commailto:subscribed@noreply.github.com> Subject: Re: [cisco/joy] SRLT vs SPLT (#200) Just to add some new info to the discussion, the way I call joy is via joy tls=1 retrans=0 num_pkts=%s bidir=1 log=%s.log verbosity=2 dist=1 %s.pcap | gunzip > %s.json so I don't set the flag splt=1 which I saw in the documentation. I was unable however to find info on the differences between SRLT and SPLT. Can someone please point to some source? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#200 (comment)>, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AD0LLysC9S9tRWfVSfrTx97ytuQiFZYaks5uZ4uNgaJpZM4WepxC.

Thanks David. Do you know where the parameter tls_c_exts_kind refer to? Are you planning for an updated documentation where the reported tls features are explained in detail?

@davidmcgrew

This comment has been minimized.

Copy link
Contributor

commented Sep 13, 2018

@fliphil

This comment has been minimized.

Copy link
Contributor

commented Sep 13, 2018

Hello,

The "kind" key is present when the extension is not found in the IANA registry:
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1
As the program looks through all of the each extension, it tries to find a human-readable string corresponding to that extension. If no such string is found, then the value for "kind" is the 2-byte hex string representing the "value" (see the IANA link above).
The following "data" key/value holds the actual data for that extension (possibly empty).

Hope that helps,
Philip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.