Example on how to easily decode QUIC SNI field

[m-peko]

Hi there,

my use case is the following:

• I get the packet bytes from the network or PCAP file
• I would like to extract SNI field related to that specific session that the packet belongs to
• session management is done by my side

Is it possible? How would the example look like?

Thanks and regards

[ljluestc]

from scapy.all import *
from scapy.layers import tls

Replace these values with your actual session identification criteria

source_ip = "source_ip"
source_port = 12345
destination_ip = "destination_ip"
destination_port = 443

def extract_sni(packet):
if packet.haslayer(tls.TLSClientHello):
client_hello = packet[tls.TLSClientHello]
for ext_type, ext_data in client_hello.extensions:
if ext_type == tls.TLSExtensionType.SERVER_NAME:
sni_info = tls.TLSServerName.parse(ext_data)
return sni_info[0].data.decode("utf-8")
return None

def process_packet(packet):
if IP in packet and TCP in packet:
if (
packet[IP].src == source_ip
and packet[TCP].sport == source_port
and packet[IP].dst == destination_ip
and packet[TCP].dport == destination_port
):
sni = extract_sni(packet)
if sni:
print(f"Session: {source_ip}:{source_port} -> {destination_ip}:{destination_port}")
print(f"SNI: {sni}")
print("=====================================")

pcap_file = "path_to_your_pcap_file.pcap"
packets = rdpcap(pcap_file)

for packet in packets:
process_packet(packet)