[rust] Handle non-ASCII ALPN strings (#32)

* rust: Support tshark v4.2.0 * rust: Handle non-ASCII ALPN strings Related issue: #16
FoxIO-LLC · Dec 15, 2023 · 421917f · 421917f
1 parent 2fff21b
commit 421917f
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 7 deletions.
diff --git a/pcap/tls-non-ascii-alpn.pcapng b/pcap/tls-non-ascii-alpn.pcapng
diff --git a/rust/CHANGELOG.md b/rust/CHANGELOG.md
@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.16.0] - 2023-12-12
+
+### Changed
+
+- Handle non-ASCII ALPN strings (#16).
+
+### Fixed
+
+- Support tshark v4.2.0.
+
 ## [0.15.2] - 2023-11-09
 
 ### Fixed
@@ -31,7 +41,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Add Rust sources of `ja4` and `ja4x` CLI tools.
 
-[unreleased]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.2...HEAD
+[unreleased]: https://github.com/FoxIO-LLC/ja4/compare/v0.16.0...HEAD
+[0.16.0]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.2...v0.16.0
 [0.15.2]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.1...v0.15.2
 [0.15.1]: https://github.com/FoxIO-LLC/ja4/compare/v0.15.0...v0.15.1
 [0.15.0]: https://github.com/FoxIO-LLC/ja4/compare/v0.14.0...v0.15.0

diff --git a/rust/ja4/src/snapshots/[email protected] b/rust/ja4/src/snapshots/[email protected]
@@ -0,0 +1,14 @@
+---
+source: ja4/src/lib.rs
+expression: output
+---
+- stream: 0
+  transport: tcp
+  src: 192.168.1.168
+  dst: 142.251.16.94
+  src_port: 50112
+  dst_port: 443
+  tls_server_name: clientservices.googleapis.com
+  ja4: t13d151699_8daaf6152771_e5627efa2ab1
+  ja4s: t130200_1301_234ea6891581
+
diff --git a/rust/ja4/src/ssh.rs b/rust/ja4/src/ssh.rs
@@ -223,7 +223,7 @@ impl PacketCounts {
                     self.nr_ssh_server_packets += 1;
                 }
             }
-        } else if tcp.first("tcp.flags.ack")? == "1" {
+        } else if ["1", "True"].contains(&tcp.first("tcp.flags.ack")?) {
             match sender {
                 Sender::Client => self.nr_tcp_client_acks += 1,
                 Sender::Server => self.nr_tcp_server_acks += 1,

diff --git a/rust/ja4/src/time/tcp.rs b/rust/ja4/src/time/tcp.rs
@@ -210,9 +210,9 @@ impl Timestamp {
         let ack = tcp.first("tcp.flags.ack")?;
         let syn = tcp.first("tcp.flags.syn")?;
         Ok(match (syn, ack) {
-            ("1", "0") => Some(Self::Syn((t()?, Ttl::new(pkt)?))),
-            ("1", "1") => Some(Self::SynAck((t()?, Ttl::new(pkt)?))),
-            ("0", "1") => Some(Self::Ack(t()?)),
+            ("1", "0") | ("True", "False") => Some(Self::Syn((t()?, Ttl::new(pkt)?))),
+            ("1", "1") | ("True", "True") => Some(Self::SynAck((t()?, Ttl::new(pkt)?))),
+            ("0", "1") | ("False", "True") => Some(Self::Ack(t()?)),
             _ => None,
         })
     }

diff --git a/rust/ja4/src/tls.rs b/rust/ja4/src/tls.rs
@@ -584,9 +584,16 @@ fn tls_extensions_server(tls: &Proto) -> Vec<u16> {
 }
 
 fn first_last(s: &str) -> (Option<char>, Option<char>) {
+    let replace_nonascii_with_9 = |c: char| {
+        if c.is_ascii() {
+            c
+        } else {
+            '9'
+        }
+    };
     let mut chars = s.chars();
-    let first = chars.next();
-    let last = chars.next_back();
+    let first = chars.next().map(replace_nonascii_with_9);
+    let last = chars.next_back().map(replace_nonascii_with_9);
     (first, last)
 }
 
@@ -598,6 +605,16 @@ fn test_first_last() {
     assert_eq!(first_last("abc"), (Some('a'), Some('c')));
 }
 
+#[test]
+fn test_first_last_non_ascii() {
+    assert_eq!('�', char::REPLACEMENT_CHARACTER);
+    assert_eq!(first_last("�"), (Some('9'), None));
+    assert_eq!(first_last("��"), (Some('9'), Some('9')));
+    assert_eq!(first_last("�x�"), (Some('9'), Some('9')));
+    assert_eq!(first_last("x�"), (Some('x'), Some('9')));
+    assert_eq!(first_last("�x"), (Some('9'), Some('x')));
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;