David FifieldPage to keep notes about the fingerprintability of WebRTC, relevant to the Snowflake pluggable transport.
Tech report "Fingerprintability of WebRTC" by David Fifield and Mia Gil Epner: https://arxiv.org/abs/1605.08805.
Tech report "Evaluating Snowflake as an Indistinguishable Censorship Circumvention Tool" by Kyle MacMillan, Jordan Holland, and Prateek Mittal: https://arxiv.org/abs/2008.03254. See also Section 7 of "nPrint: A Standard Data Representation for Network Traffic Analysis": https://arxiv.org/abs/2008.02695.
An analysis of use of WebRTC by some mobile apps: https://andyet.com/webrtc-reports/.
Analysis of DTLS-SRTP and DTLS-SCTP in Twilio and Wire: https://www.gremwell.com/node/954
Potential identifying features:
- STUN: USERNAME attribute, free-form text.
- STUN: optional FINGERPRINT attribute.
- STUN: optional(?) SOFTWARE attribute.
- STUN attributes in general: their type and order.
- DTLS: client ciphersuites (type and order).
- DTLS: client extensions (type and order).
- DTLS: server extensions (type and order).
- DTLS: certificate validity period. DNS seems like no big deal? Other layers to look at?
Data channels use DTLS while non-data (media, video) use SRTP. WebRTC Data Channels: "In the WebRTC framework, communication between the parties consists of media (for example audio and video) and non-media data. Media is sent using SRTP, and is not specified further here. Non-media data is handled by using SCTP [RFC4960] encapsulated in DTLS." Web Real-Time Communication (WebRTC): Media Transport and Use of RTP
Bro script to fingerprint DTLS
https://github.com/miagilepner/DTLS-fingerprint
Snowflake Dissections
The GitLab wiki does not support background colors, which were used to highlight common parts of packet dissections. You may want to refer to the archived Trac wiki page.
DTLS
The unknown (0x0017) extension is present in all DTLS communication and is concerning. Looks like 0x0017 is extended master secret.
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 110
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 98
Message Sequence: 0
Fragment Offset: 0
Fragment Length: 98
Version: DTLS 1.0 (0xfeff)
Random
GMT Unix Time: Nov 15, 2056 17:39:12.000000000 PST
Random Bytes: 061231403fafc5f8592806c668f47fd7c8723693e723f3d6...
Session ID Length: 0
Cookie Length: 0
Cipher Suites Length: 18
Cipher Suites (9 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 38
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: Unknown 23
Type: Unknown (0x0017)
Length: 0
Data (0 bytes)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
Extension: use_srtp
Type: use_srtp (0x000e)
Length: 5
Data (5 bytes)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 6
Elliptic Curves Length: 4
Elliptic curves (2 curves)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp384r1 (0x0018)
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 80
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 68
Message Sequence: 0
Fragment Offset: 0
Fragment Length: 68
Version: DTLS 1.0 (0xfeff)
Random
GMT Unix Time: Feb 3, 2016 12:40:26.000000000 PST
Random Bytes: 77a5a5590ca7147b4130e4f92bc6de09954c7ba9b8e00753...
Session ID Length: 0
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Compression Method: null (0)
Extensions Length: 28
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: Unknown 23
Type: Unknown (0x0017)
Length: 0
Data (0 bytes)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
Extension: use_srtp
Type: use_srtp (0x000e)
Length: 5
Data (5 bytes)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
DTLSv1.0 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 1
Length: 431
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 419
Message Sequence: 1
Fragment Offset: 0
Fragment Length: 419
Certificates Length: 416
Certificates (416 bytes)
Certificate Length: 413
Certificate (id-at-commonName=WebRTC)
signedCertificate
serialNumber: -199448578203076297
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=WebRTC)
RDNSequence item: 1 item (id-at-commonName=WebRTC)
RelativeDistinguishedName item (id-at-commonName=WebRTC)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: WebRTC
validity
notBefore: utcTime (0)
utcTime: 16-02-02 20:40:24 (UTC)
notAfter: utcTime (0)
utcTime: 16-03-04 20:40:24 (UTC)
subject: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=WebRTC)
RDNSequence item: 1 item (id-at-commonName=WebRTC)
RelativeDistinguishedName item (id-at-commonName=WebRTC)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: WebRTC
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey: 30818902818100f80b20502afafd6ce3c2da226231dc04b3...
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted: 8ad10f58e3bd116f2d44632775018cde8e5bc51acb4dc914...
DTLSv1.0 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 2
Length: 211
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 199
Message Sequence: 2
Fragment Offset: 0
Fragment Length: 199
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp256r1 (0x0017)
Pubkey Length: 65
Pubkey: 04042d88c974e3c5aead9b9602e16be7eee110a5bf5b6c07...
Signature Length: 128
Signature: 2921d3af691af98af3988b518416caaef54e2cda54f0694f...
DTLSv1.0 Record Layer: Handshake Protocol: Certificate Request
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 3
Length: 17
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 5
Message Sequence: 3
Fragment Offset: 0
Fragment Length: 5
Certificate types count: 2
Certificate types (2 types)
Certificate type: RSA Sign (1)
Certificate type: ECDSA Sign (64)
Distinguished Names Length: 0
DTLSv1.0 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 4
Length: 12
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
Message Sequence: 4
Fragment Offset: 0
Fragment Length: 0
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 1
Length: 431
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 419
Message Sequence: 1
Fragment Offset: 0
Fragment Length: 419
Certificates Length: 416
Certificates (416 bytes)
Certificate Length: 413
Certificate (id-at-commonName=WebRTC)
signedCertificate
version: v3 (2)
serialNumber: 968514978
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=WebRTC)
RDNSequence item: 1 item (id-at-commonName=WebRTC)
RelativeDistinguishedName item (id-at-commonName=WebRTC)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: WebRTC
validity
notBefore: utcTime (0)
utcTime: 16-01-27 21:22:56 (UTC)
notAfter: utcTime (0)
utcTime: 16-02-26 21:22:56 (UTC)
subject: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=WebRTC)
RDNSequence item: 1 item (id-at-commonName=WebRTC)
RelativeDistinguishedName item (id-at-commonName=WebRTC)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: WebRTC
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey: 30818902818100c6d0e52fb7906d54726fff0d4d5a611a5d...
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted: 3787bcc099fd7d1fede13e633b79de93aedc62336b6e8ef0...
DTLSv1.0 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 2
Length: 78
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 66
Message Sequence: 2
Fragment Offset: 0
Fragment Length: 66
EC Diffie-Hellman Client Params
Pubkey Length: 65
Pubkey: 04be8aed734fd935d017b11d9e0d36401989a9a535bbe9ab...
DTLSv1.0 Record Layer: Handshake Protocol: Certificate Verify
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 3
Length: 142
Handshake Protocol: Certificate Verify
Handshake Type: Certificate Verify (15)
Length: 130
Message Sequence: 3
Fragment Offset: 0
Fragment Length: 130
DTLSv1.0 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 4
Length: 1
Change Cipher Spec Message
Record Layer
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 1
Sequence Number: 0
Length: 64
Handshake Protocol
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: New Session Ticket
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 5
Length: 610
Handshake Protocol: New Session Ticket
Handshake Type: New Session Ticket (4)
Length: 598
Message Sequence: 5
Fragment Offset: 0
Fragment Length: 598
TLS Session Ticket
Session Ticket Lifetime Hint: 7200
Session Ticket Length: 592
Session Ticket: aeb7218d071c2610c61f708141dcb625c90ae8703c1aaf1b...
DTLSv1.0 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 6
Length: 1
Change Cipher Spec Message
Record Layer
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 1
Sequence Number: 0
Length: 64
Handshake Protocol
STUN
Session Traversal Utilities for NAT
[Response In: 2]
Message Type: 0x0001 (Binding Request)
.... ...0 ...0 .... = Message Class: 0x0000
[Request (0)]
..00 000. 000. 0001 = Message Method: 0x0001
[Binding (0x001)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 0
Message Cookie: 2112a442
Message Transaction ID: 4734332b507130774f7a2b31
Session Traversal Utilities for NAT
[Request In: 1]
[Time: 0.071000000 seconds]
Message Type: 0x0101 (Binding Success Response)
.... ...1 ...0 .... = Message Class: 0x0010
[Success Response (2)]
..00 000. 000. 0001 = Message Method: 0x0001
[Binding (0x001)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 12
Message Cookie: 2112a442
Message Transaction ID: 4734332b507130774f7a2b31
Attributes
XOR-MAPPED-ADDRESS: 192.0.2.10:56631
Attribute Type: XOR-MAPPED-ADDRESS (0x0020)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port (XOR-d): fc25
[Port: 56631]
IP (XOR-d): 83fcba14
[IP: 192.0.2.10 (192.0.2.10)]
Session Traversal Utilities for NAT
[Response In: 13]
Message Type: 0x0001 (Binding Request)
.... ...0 ...0 .... = Message Class: 0x0000
[Request (0)]
..00 000. 000. 0001 = Message Method: 0x0001
[Binding (0x001)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 96
Message Cookie: 2112a442
Message Transaction ID: 6152536e75732b364a494538
Attributes
USERNAME: kobaHqEbY+V1ziVB:T+bbk5iYxqr95mKy
Attribute Type: USERNAME (0x0006)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 33
Username: kobaHqEbY+V1ziVB:T+bbk5iYxqr95mKy
Padding: 3
ICE-CONTROLLING
Attribute Type: ICE-CONTROLLING (0x802a)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Tie breaker: 9ef84ba2fafac8a8
USE-CANDIDATE
Attribute Type: USE-CANDIDATE (0x0025)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 0
PRIORITY
Attribute Type: PRIORITY (0x0024)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
Priority: 1853759231
MESSAGE-INTEGRITY
Attribute Type: MESSAGE-INTEGRITY (0x0008)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 20
HMAC-SHA1: 66f748838e0a05e60fc56e3345937ad40f19221c
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x76c1aa8f
Session Traversal Utilities for NAT
[Request In: 3]
[Time: 0.290224000 seconds]
Message Type: 0x0101 (Binding Success Response)
.... ...1 ...0 .... = Message Class: 0x0010
[Success Response (2)]
..00 000. 000. 0001 = Message Method: 0x0001
[Binding (0x001)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 44
Message Cookie: 2112a442
Message Transaction ID: 6152536e75732b364a494538
Attributes
XOR-MAPPED-ADDRESS: 192.0.2.10:56631
Attribute Type: XOR-MAPPED-ADDRESS (0x0020)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port (XOR-d): fc25
[Port: 56631]
IP (XOR-d): 83fcba14
[IP: 192.0.2.10 (192.0.2.10)]
MESSAGE-INTEGRITY
Attribute Type: MESSAGE-INTEGRITY (0x0008)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 20
HMAC-SHA1: aac12f05a0635a534e794e7c6273ea6a5c2945ed
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x69ae371e
Session Traversal Utilities for NAT
[Response In: 5]
Message Type: 0x0001 (Binding Request)
.... ...0 ...0 .... = Message Class: 0x0000
[Request (0)]
..00 000. 000. 0001 = Message Method: 0x0001
[Binding (0x001)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 92
Message Cookie: 2112a442
Message Transaction ID: 6e2b51714d6e734250714a48
Attributes
USERNAME: T+bbk5iYxqr95mKy:kobaHqEbY+V1ziVB
Attribute Type: USERNAME (0x0006)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 33
Username: T+bbk5iYxqr95mKy:kobaHqEbY+V1ziVB
Padding: 3
ICE-CONTROLLED
Attribute Type: ICE-CONTROLLED (0x8029)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Tie breaker: 4e2bfda493c8265e
PRIORITY
Attribute Type: PRIORITY (0x0024)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
Priority: 1853824767
MESSAGE-INTEGRITY
Attribute Type: MESSAGE-INTEGRITY (0x0008)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 20
HMAC-SHA1: d09add55f86f6d1780afd4b9ab4780fe1350ef1e
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x969a56c0
Session Traversal Utilities for NAT
[Request In: 4]
[Time: 0.000331000 seconds]
Message Type: 0x0101 (Binding Success Response)
.... ...1 ...0 .... = Message Class: 0x0010
[Success Response (2)]
..00 000. 000. 0001 = Message Method: 0x0001
[Binding (0x001)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 44
Message Cookie: 2112a442
Message Transaction ID: 6e2b51714d6e734250714a48
Attributes
XOR-MAPPED-ADDRESS: 199.241.201.138:51749
Attribute Type: XOR-MAPPED-ADDRESS (0x0020)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port (XOR-d): eb37
[Port: 51749]
IP (XOR-d): e6e36dc8
[IP: 199.241.201.138 (199.241.201.138)]
MESSAGE-INTEGRITY
Attribute Type: MESSAGE-INTEGRITY (0x0008)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 20
HMAC-SHA1: e61427b2b55c60c2d135262e947bdfe26f2c0f9b
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0xca4bdcce
OpenTokRTC Dissections
These are of https://opentokrtc.com/
The GitLab wiki does not support background colors, which were used to highlight common parts of packet dissections. You may want to refer to the archived Trac wiki page.
DNS
DNS Queries (A and AAAA).
Domain Name System (query)
Transaction ID: 0x75f7
Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
mantis004-sjc.tokbox.com: type A, class IN
Name: mantis004-sjc.tokbox.com
[Name Length: 24]
[Label Count: 3]
Type: A (Host Address) (1)
Class: IN (0x0001)
Domain Name System (query)
Transaction ID: 0xecea
Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
mantis004-sjc.tokbox.com: type AAAA, class IN
Name: mantis004-sjc.tokbox.com
[Name Length: 24]
[Label Count: 3]
Type: AAAA (IPv6 Address) (28)
Class: IN (0x0001)
DNS Responses (A and AAAA).
Domain Name System (response)
Transaction ID: 0x75f7
Flags: 0x8180 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 1
Authority RRs: 0
Additional RRs: 0
Queries
mantis004-sjc.tokbox.com: type A, class IN
Name: mantis004-sjc.tokbox.com
[Name Length: 24]
[Label Count: 3]
Type: A (Host Address) (1)
Class: IN (0x0001)
Answers
mantis004-sjc.tokbox.com: type A, class IN, addr 74.201.205.3
Name: mantis004-sjc.tokbox.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 7200
Data length: 4
Address: mantis004-sjc.tokbox.com (74.201.205.3)
Domain Name System (response)
Transaction ID: 0xecea
Flags: 0x8180 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 0
Authority RRs: 1
Additional RRs: 0
Queries
mantis004-sjc.tokbox.com: type AAAA, class IN
Name: mantis004-sjc.tokbox.com
[Name Length: 24]
[Label Count: 3]
Type: AAAA (IPv6 Address) (28)
Class: IN (0x0001)
Authoritative nameservers
tokbox.com: type SOA, class IN, mname ns1.p20.dynect.net
Name: tokbox.com
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Time to live: 60
Data length: 46
Primary name server: ns1.p20.dynect.net
Responsible authority's mailbox: ops.tokbox.com
Serial Number: 2785
Refresh Interval: 3600 (1 hour)
Retry Interval: 600 (10 minutes)
Expire limit: 604800 (7 days)
Minimum TTL: 60 (1 minute)
DTLS
Firefox
Client hello, using DTLSv1.0, offers 73 cipher suites and 58 elliptic curves. (dcf: wow, look at all the trash ciphersuites: anon/EXPORT/NULL. Whatever this is looks pretty insecure.)
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 284
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 272
Message Sequence: 0
Fragment Offset: 0
Fragment Length: 272
Version: DTLS 1.0 (0xfeff)
Random
GMT Unix Time: Oct 24, 2033 15:10:17.000000000 PDT
Random Bytes: 72f6edee1c5b0c9339761f8a4397d9e4cba5811856849cc6...
Session ID Length: 0
Cookie Length: 0
Cipher Suites Length: 146
Cipher Suites (73 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)
Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)
Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)
Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)
Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)
Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)
Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA (0x009b)
Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
Cipher Suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)
Cipher Suite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DH_RSA_WITH_DES_CBC_SHA (0x000f)
Cipher Suite: TLS_DH_DSS_WITH_DES_CBC_SHA (0x000c)
Cipher Suite: TLS_DH_anon_WITH_DES_CBC_SHA (0x001a)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000e)
Cipher Suite: TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000b)
Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA (0x0019)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_ECDHE_RSA_WITH_NULL_SHA (0xc010)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA (0xc006)
Cipher Suite: TLS_ECDH_anon_WITH_NULL_SHA (0xc015)
Cipher Suite: TLS_ECDH_RSA_WITH_NULL_SHA (0xc00b)
Cipher Suite: TLS_ECDH_ECDSA_WITH_NULL_SHA (0xc001)
Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002)
Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 84
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 58
Elliptic Curves Length: 56
Elliptic curves (28 curves)
Elliptic curve: sect571r1 (0x000e)
Elliptic curve: sect571k1 (0x000d)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: brainpoolP512r1 (0x001c)
Elliptic curve: sect409k1 (0x000b)
Elliptic curve: sect409r1 (0x000c)
Elliptic curve: brainpoolP384r1 (0x001b)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: sect283k1 (0x0009)
Elliptic curve: sect283r1 (0x000a)
Elliptic curve: brainpoolP256r1 (0x001a)
Elliptic curve: secp256k1 (0x0016)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: sect239k1 (0x0008)
Elliptic curve: sect233k1 (0x0006)
Elliptic curve: sect233r1 (0x0007)
Elliptic curve: secp224k1 (0x0014)
Elliptic curve: secp224r1 (0x0015)
Elliptic curve: sect193r1 (0x0004)
Elliptic curve: sect193r2 (0x0005)
Elliptic curve: secp192k1 (0x0012)
Elliptic curve: secp192r1 (0x0013)
Elliptic curve: sect163k1 (0x0001)
Elliptic curve: sect163r1 (0x0002)
Elliptic curve: sect163r2 (0x0003)
Elliptic curve: secp160k1 (0x000f)
Elliptic curve: secp160r1 (0x0010)
Elliptic curve: secp160r2 (0x0011)
Extension: Heartbeat
Type: Heartbeat (0x000f)
Length: 1
Mode: Peer allowed to send requests (1)
Extension: use_srtp
Type: use_srtp (0x000e)
Length: 5
Data (5 bytes)
The server hello chooses 0xc00a cipher suite. The certificate exchanged at this point includes no information about the service being used. (dcf: I'm not familiar with this protocol. Check out how the first certificate has only a one-month validity period.)
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 104
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 92
Message Sequence: 0
Fragment Offset: 0
Fragment Length: 92
Version: DTLS 1.0 (0xfeff)
Random
GMT Unix Time: Aug 12, 2005 06:36:11.000000000 PDT
Random Bytes: da72433e51531543ee4e5c449700d9e055e912fc34fd5909...
Session ID Length: 32
Session ID (32 bytes)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Compression Method: null (0)
Extensions Length: 20
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: use_srtp
Type: use_srtp (0x000e)
Length: 5
Data (5 bytes)
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
DTLSv1.0 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 1
Length: 286
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 274
Message Sequence: 1
Fragment Offset: 0
Fragment Length: 274
Certificates Length: 271
Certificates (271 bytes)
Certificate Length: 268
Certificate (id-at-commonName=2)
signedCertificate
version: v3 (2)
serialNumber: 3260359887
signature (iso.2.840.10045.4.3.2)
Algorithm Id: 1.2.840.10045.4.3.2 (iso.2.840.10045.4.3.2)
issuer: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=2)
RDNSequence item: 1 item (id-at-commonName=2)
RelativeDistinguishedName item (id-at-commonName=2)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: 2
validity
notBefore: utcTime (0)
utcTime: 16-01-19 22:38:13 (UTC)
notAfter: utcTime (0)
utcTime: 16-02-19 22:38:13 (UTC)
subject: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=2)
RDNSequence item: 1 item (id-at-commonName=2)
RelativeDistinguishedName item (id-at-commonName=2)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: 2
subjectPublicKeyInfo
algorithm (id-ecPublicKey)
Algorithm Id: 1.2.840.10045.2.1 (id-ecPublicKey)
ECParameters: namedCurve (0)
namedCurve: 1.2.840.10045.3.1.7 (secp256r1)
Padding: 0
subjectPublicKey: 0453da6b9d9a4102960e077401f869db015bdaac4ce49a6c...
algorithmIdentifier (iso.2.840.10045.4.3.2)
Algorithm Id: 1.2.840.10045.4.3.2 (iso.2.840.10045.4.3.2)
Padding: 0
encrypted: 304502201062d3fb7b493022779e796399ab20442545c59a...
DTLSv1.0 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 2
Length: 154
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 142
Message Sequence: 2
Fragment Offset: 0
Fragment Length: 142
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp256r1 (0x0017)
Pubkey Length: 65
Pubkey: 04094aba540abe15421362f07eddab781d1f7e766ad5cb83...
Signature Length: 71
Signature: 304502202b2ec5c601f846c295af8033308a973f617f4f19...
DTLSv1.0 Record Layer: Handshake Protocol: Certificate Request
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 3
Length: 18
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 6
Message Sequence: 3
Fragment Offset: 0
Fragment Length: 6
Certificate types count: 3
Certificate types (3 types)
Certificate type: RSA Sign (1)
Certificate type: ECDSA Sign (64)
Certificate type: DSS Sign (2)
Distinguished Names Length: 0
DTLSv1.0 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 4
Length: 12
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
Message Sequence: 4
Fragment Offset: 0
Fragment Length: 0
Then another certificate exchange with a revealing certificate, describing the STUN server:
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 1
Length: 603
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 591
Message Sequence: 1
Fragment Offset: 0
Fragment Length: 591
Certificates Length: 588
Certificates (588 bytes)
Certificate Length: 585
Certificate (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
signedCertificate
serialNumber: -267696997996496148
signature (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RelativeDistinguishedName item (id-at-stateOrProvinceName=California)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: California
RDNSequence item: 1 item (id-at-localityName=San Francisco)
RelativeDistinguishedName item (id-at-localityName=San Francisco)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: San Francisco
RDNSequence item: 1 item (id-at-organizationName=Tokbox)
RelativeDistinguishedName item (id-at-organizationName=Tokbox)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Tokbox
RDNSequence item: 1 item (id-at-commonName=mantis.tokbox.com)
RelativeDistinguishedName item (id-at-commonName=mantis.tokbox.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: mantis.tokbox.com
validity
notBefore: utcTime (0)
utcTime: 14-07-30 18:41:44 (UTC)
notAfter: utcTime (0)
utcTime: 24-07-27 18:41:44 (UTC)
subject: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RelativeDistinguishedName item (id-at-stateOrProvinceName=California)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: California
RDNSequence item: 1 item (id-at-localityName=San Francisco)
RelativeDistinguishedName item (id-at-localityName=San Francisco)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: San Francisco
RDNSequence item: 1 item (id-at-organizationName=Tokbox)
RelativeDistinguishedName item (id-at-organizationName=Tokbox)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Tokbox
RDNSequence item: 1 item (id-at-commonName=mantis.tokbox.com)
RelativeDistinguishedName item (id-at-commonName=mantis.tokbox.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: mantis.tokbox.com
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey: 30818902818100bea2170f27caed5cf16dc53f909932b869...
algorithmIdentifier (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
Padding: 0
encrypted: ae89516a687d33a7ec9c75a66921bca1ae0e7e60586c58e2...
DTLSv1.0 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 2
Length: 78
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 66
Message Sequence: 2
Fragment Offset: 0
Fragment Length: 66
EC Diffie-Hellman Client Params
Pubkey Length: 65
Pubkey: 04e587aa9837220da69673630735f557b15f0e1a84212555...
DTLSv1.0 Record Layer: Handshake Protocol: Certificate Verify
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 3
Length: 142
Handshake Protocol: Certificate Verify
Handshake Type: Certificate Verify (15)
Length: 130
Message Sequence: 3
Fragment Offset: 0
Fragment Length: 130
DTLSv1.0 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 4
Length: 1
Change Cipher Spec Message
Record Layer
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 1
Sequence Number: 0
Length: 64
Handshake Protocol
And then another client hello happened, with a different DTLS version (DTLSv1.2) and different cipher suites and hash algorithms. The APN extension also reveals WebRTC.
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: DTLS 1.2 (0xfefd)
Epoch: 0
Sequence Number: 0
Length: 152
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 140
Message Sequence: 0
Fragment Offset: 0
Fragment Length: 140
Version: DTLS 1.2 (0xfefd)
Random
GMT Unix Time: Nov 7, 2055 01:44:02.000000000 PDT
Random Bytes: c89aa6b07ee7a2ae228e132f8a9a32ae85de577e57c688ad...
Session ID Length: 0
Cookie Length: 0
Cipher Suites Length: 16
Cipher Suites (8 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 82
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 8
Elliptic Curves Length: 6
Elliptic curves (3 curves)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: secp521r1 (0x0019)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: Application Layer Protocol Negotiation
Type: Application Layer Protocol Negotiation (0x0010)
Length: 18
ALPN Extension Length: 16
ALPN Protocol
ALPN string length: 6
ALPN Next Protocol: webrtc
ALPN string length: 8
ALPN Next Protocol: c-webrtc
Extension: use_srtp
Type: use_srtp (0x000e)
Length: 7
Data (7 bytes)
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 22
Signature Hash Algorithms Length: 20
Signature Hash Algorithms (10 algorithms)
Signature Hash Algorithm: 0x0401
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0501
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0403
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0503
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0603
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0203
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0402
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
The server selects a different cipher suite:
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 74
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 62
Message Sequence: 0
Fragment Offset: 0
Fragment Length: 62
Version: DTLS 1.0 (0xfeff)
Random
GMT Unix Time: Jan 15, 2091 20:41:00.000000000 PST
Random Bytes: 6114446e461d87fb0431cf4cd8273d15072b66c0ed52bb40...
Session ID Length: 0
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Compression Method: null (0)
Extensions Length: 22
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: use_srtp
Type: use_srtp (0x000e)
Length: 5
Data (5 bytes)
DTLSv1.0 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 1
Length: 603
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 591
Message Sequence: 1
Fragment Offset: 0
Fragment Length: 591
Certificates Length: 588
Certificates (588 bytes)
Certificate Length: 585
Certificate (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
signedCertificate
serialNumber: -267696997996496148
signature (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RelativeDistinguishedName item (id-at-stateOrProvinceName=California)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: California
RDNSequence item: 1 item (id-at-localityName=San Francisco)
RelativeDistinguishedName item (id-at-localityName=San Francisco)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: San Francisco
RDNSequence item: 1 item (id-at-organizationName=Tokbox)
RelativeDistinguishedName item (id-at-organizationName=Tokbox)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Tokbox
RDNSequence item: 1 item (id-at-commonName=mantis.tokbox.com)
RelativeDistinguishedName item (id-at-commonName=mantis.tokbox.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: mantis.tokbox.com
validity
notBefore: utcTime (0)
utcTime: 14-07-30 18:41:44 (UTC)
notAfter: utcTime (0)
utcTime: 24-07-27 18:41:44 (UTC)
subject: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RelativeDistinguishedName item (id-at-stateOrProvinceName=California)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: California
RDNSequence item: 1 item (id-at-localityName=San Francisco)
RelativeDistinguishedName item (id-at-localityName=San Francisco)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: San Francisco
RDNSequence item: 1 item (id-at-organizationName=Tokbox)
RelativeDistinguishedName item (id-at-organizationName=Tokbox)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Tokbox
RDNSequence item: 1 item (id-at-commonName=mantis.tokbox.com)
RelativeDistinguishedName item (id-at-commonName=mantis.tokbox.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: mantis.tokbox.com
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey: 30818902818100bea2170f27caed5cf16dc53f909932b869...
algorithmIdentifier (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
Padding: 0
encrypted: ae89516a687d33a7ec9c75a66921bca1ae0e7e60586c58e2...
DTLSv1.0 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 2
Length: 211
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 199
Message Sequence: 2
Fragment Offset: 0
Fragment Length: 199
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp256r1 (0x0017)
Pubkey Length: 65
Pubkey: 04ccbb0e527b32a548a5d60c4ed0dedafeb9f7dd501fafa5...
Signature Length: 128
Signature: 60f3f0251e1147924af3d54ba0d6ff698fb8528ac8bbad1c...
DTLSv1.0 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 3
Length: 12
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
Message Sequence: 3
Fragment Offset: 0
Fragment Length: 0
Chrome
Same 73 trash cipher suites, same 28 ECs as Firefox.
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 284
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 272
Message Sequence: 0
Fragment Offset: 0
Fragment Length: 272
Version: DTLS 1.0 (0xfeff)
Random
GMT Unix Time: Jun 30, 2096 12:59:49.000000000 PDT
Random Bytes: 6626d676c93f15cdc4d3ddf9d22bac7de556b7d9cc5c8768...
Session ID Length: 0
Cookie Length: 0
Cipher Suites Length: 146
Cipher Suites (73 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)
Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)
Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)
Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)
Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)
Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)
Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA (0x009b)
Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
Cipher Suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)
Cipher Suite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DH_RSA_WITH_DES_CBC_SHA (0x000f)
Cipher Suite: TLS_DH_DSS_WITH_DES_CBC_SHA (0x000c)
Cipher Suite: TLS_DH_anon_WITH_DES_CBC_SHA (0x001a)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000e)
Cipher Suite: TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000b)
Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA (0x0019)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_ECDHE_RSA_WITH_NULL_SHA (0xc010)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA (0xc006)
Cipher Suite: TLS_ECDH_anon_WITH_NULL_SHA (0xc015)
Cipher Suite: TLS_ECDH_RSA_WITH_NULL_SHA (0xc00b)
Cipher Suite: TLS_ECDH_ECDSA_WITH_NULL_SHA (0xc001)
Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002)
Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 84
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 58
Elliptic Curves Length: 56
Elliptic curves (28 curves)
Elliptic curve: sect571r1 (0x000e)
Elliptic curve: sect571k1 (0x000d)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: brainpoolP512r1 (0x001c)
Elliptic curve: sect409k1 (0x000b)
Elliptic curve: sect409r1 (0x000c)
Elliptic curve: brainpoolP384r1 (0x001b)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: sect283k1 (0x0009)
Elliptic curve: sect283r1 (0x000a)
Elliptic curve: brainpoolP256r1 (0x001a)
Elliptic curve: secp256k1 (0x0016)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: sect239k1 (0x0008)
Elliptic curve: sect233k1 (0x0006)
Elliptic curve: sect233r1 (0x0007)
Elliptic curve: secp224k1 (0x0014)
Elliptic curve: secp224r1 (0x0015)
Elliptic curve: sect193r1 (0x0004)
Elliptic curve: sect193r2 (0x0005)
Elliptic curve: secp192k1 (0x0012)
Elliptic curve: secp192r1 (0x0013)
Elliptic curve: sect163k1 (0x0001)
Elliptic curve: sect163r1 (0x0002)
Elliptic curve: sect163r2 (0x0003)
Elliptic curve: secp160k1 (0x000f)
Elliptic curve: secp160r1 (0x0010)
Elliptic curve: secp160r2 (0x0011)
Extension: Heartbeat
Type: Heartbeat (0x000f)
Length: 1
Mode: Peer allowed to send requests (1)
Extension: use_srtp
Type: use_srtp (0x000e)
Length: 5
Data (5 bytes)
id-at-commonName=WebRTC instead of id-at-commonName=2. This cert is also only valid for 1 month.
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 104
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 92
Message Sequence: 0
Fragment Offset: 0
Fragment Length: 92
Version: DTLS 1.0 (0xfeff)
Random
GMT Unix Time: Jan 28, 2016 16:18:35.000000000 PST
Random Bytes: 141ae34bdea56488368a8d586f8224d4c0522145b26873d1...
Session ID Length: 32
Session ID (32 bytes)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Compression Method: null (0)
Extensions Length: 20
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: use_srtp
Type: use_srtp (0x000e)
Length: 5
Data (5 bytes)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
DTLSv1.0 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 1
Length: 431
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 419
Message Sequence: 1
Fragment Offset: 0
Fragment Length: 419
Certificates Length: 416
Certificates (416 bytes)
Certificate Length: 413
Certificate (id-at-commonName=WebRTC)
signedCertificate
version: v3 (2)
serialNumber: 1600761351
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=WebRTC)
RDNSequence item: 1 item (id-at-commonName=WebRTC)
RelativeDistinguishedName item (id-at-commonName=WebRTC)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: WebRTC
validity
notBefore: utcTime (0)
utcTime: 16-01-22 23:00:39 (UTC)
notAfter: utcTime (0)
utcTime: 16-02-21 23:00:39 (UTC)
subject: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=WebRTC)
RDNSequence item: 1 item (id-at-commonName=WebRTC)
RelativeDistinguishedName item (id-at-commonName=WebRTC)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: WebRTC
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey: 30818902818100cb7a64ace273bdce8358b860e9c3659272...
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted: 9bb28422e2424f334a3a7e67a1c35387df1ccfef88d05e71...
DTLSv1.0 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 2
Length: 211
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 199
Message Sequence: 2
Fragment Offset: 0
Fragment Length: 199
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp256r1 (0x0017)
Pubkey Length: 65
Pubkey: 04b23c336a69f95437e43fbd56ff05508ac8262422c30f42...
Signature Length: 128
Signature: 6407311ad3f584629405e0f7320dcee94835df8f3333297c...
DTLSv1.0 Record Layer: Handshake Protocol: Certificate Request
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 3
Length: 17
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 5
Message Sequence: 3
Fragment Offset: 0
Fragment Length: 5
Certificate types count: 2
Certificate types (2 types)
Certificate type: RSA Sign (1)
Certificate type: ECDSA Sign (64)
Distinguished Names Length: 0
DTLSv1.0 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 4
Length: 12
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
Message Sequence: 4
Fragment Offset: 0
Fragment Length: 0
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 1
Length: 603
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 591
Message Sequence: 1
Fragment Offset: 0
Fragment Length: 591
Certificates Length: 588
Certificates (588 bytes)
Certificate Length: 585
Certificate (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
signedCertificate
serialNumber: -267696997996496148
signature (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RelativeDistinguishedName item (id-at-stateOrProvinceName=California)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: California
RDNSequence item: 1 item (id-at-localityName=San Francisco)
RelativeDistinguishedName item (id-at-localityName=San Francisco)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: San Francisco
RDNSequence item: 1 item (id-at-organizationName=Tokbox)
RelativeDistinguishedName item (id-at-organizationName=Tokbox)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Tokbox
RDNSequence item: 1 item (id-at-commonName=mantis.tokbox.com)
RelativeDistinguishedName item (id-at-commonName=mantis.tokbox.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: mantis.tokbox.com
validity
notBefore: utcTime (0)
utcTime: 14-07-30 18:41:44 (UTC)
notAfter: utcTime (0)
utcTime: 24-07-27 18:41:44 (UTC)
subject: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RelativeDistinguishedName item (id-at-stateOrProvinceName=California)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: California
RDNSequence item: 1 item (id-at-localityName=San Francisco)
RelativeDistinguishedName item (id-at-localityName=San Francisco)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: San Francisco
RDNSequence item: 1 item (id-at-organizationName=Tokbox)
RelativeDistinguishedName item (id-at-organizationName=Tokbox)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Tokbox
RDNSequence item: 1 item (id-at-commonName=mantis.tokbox.com)
RelativeDistinguishedName item (id-at-commonName=mantis.tokbox.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: mantis.tokbox.com
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey: 30818902818100bea2170f27caed5cf16dc53f909932b869...
algorithmIdentifier (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
Padding: 0
encrypted: ae89516a687d33a7ec9c75a66921bca1ae0e7e60586c58e2...
DTLSv1.0 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 2
Length: 78
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 66
Message Sequence: 2
Fragment Offset: 0
Fragment Length: 66
EC Diffie-Hellman Client Params
Pubkey Length: 65
Pubkey: 04c620ebe617992b983ec14eee36e0bbf18f1932c4ba26a0...
DTLSv1.0 Record Layer: Handshake Protocol: Certificate Verify
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 3
Length: 142
Handshake Protocol: Certificate Verify
Handshake Type: Certificate Verify (15)
Length: 130
Message Sequence: 3
Fragment Offset: 0
Fragment Length: 130
DTLSv1.0 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 4
Length: 1
Change Cipher Spec Message
Record Layer
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 1
Sequence Number: 0
Length: 64
Handshake Protocol
Second client hello. Weirdly, the first part of the packet says DTLS 1.0, second part says DTLS 1.2. Notice how extensions are different than the Firefox client hello.;
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 150
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 138
Message Sequence: 0
Fragment Offset: 0
Fragment Length: 138
Version: DTLS 1.2 (0xfefd)
Random
GMT Unix Time: Sep 8, 1991 05:05:34.000000000 PDT
Random Bytes: 367c6923a9da9b0f08ec82bcb97b8097011b4e167408fa88...
Session ID Length: 0
Cookie Length: 0
Cipher Suites Length: 30
Cipher Suites (15 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 66
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: Unknown 23
Type: Unknown (0x0017)
Length: 0
Data (0 bytes)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 22
Signature Hash Algorithms Length: 20
Signature Hash Algorithms (10 algorithms)
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0603
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0501
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0503
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0401
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0403
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0301
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0303
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0203
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Extension: use_srtp
Type: use_srtp (0x000e)
Length: 7
Data (7 bytes)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 6
Elliptic Curves Length: 4
Elliptic curves (2 curves)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp384r1 (0x0018)
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 74
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 62
Message Sequence: 0
Fragment Offset: 0
Fragment Length: 62
Version: DTLS 1.0 (0xfeff)
Random
GMT Unix Time: Nov 25, 2010 18:01:53.000000000 PST
Random Bytes: ebde5bdcdd5dc0110ac8785585c210e1ee15e0a459d0d6c4...
Session ID Length: 0
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Compression Method: null (0)
Extensions Length: 22
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: use_srtp
Type: use_srtp (0x000e)
Length: 5
Data (5 bytes)
DTLSv1.0 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 1
Length: 603
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 591
Message Sequence: 1
Fragment Offset: 0
Fragment Length: 591
Certificates Length: 588
Certificates (588 bytes)
Certificate Length: 585
Certificate (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
signedCertificate
serialNumber: -267696997996496148
signature (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RelativeDistinguishedName item (id-at-stateOrProvinceName=California)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: California
RDNSequence item: 1 item (id-at-localityName=San Francisco)
RelativeDistinguishedName item (id-at-localityName=San Francisco)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: San Francisco
RDNSequence item: 1 item (id-at-organizationName=Tokbox)
RelativeDistinguishedName item (id-at-organizationName=Tokbox)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Tokbox
RDNSequence item: 1 item (id-at-commonName=mantis.tokbox.com)
RelativeDistinguishedName item (id-at-commonName=mantis.tokbox.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: mantis.tokbox.com
validity
notBefore: utcTime (0)
utcTime: 14-07-30 18:41:44 (UTC)
notAfter: utcTime (0)
utcTime: 24-07-27 18:41:44 (UTC)
subject: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=mantis.tokbox.com,id-at-organizationName=Tokbox,id-at-localityName=San Francisco,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RelativeDistinguishedName item (id-at-stateOrProvinceName=California)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: California
RDNSequence item: 1 item (id-at-localityName=San Francisco)
RelativeDistinguishedName item (id-at-localityName=San Francisco)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: San Francisco
RDNSequence item: 1 item (id-at-organizationName=Tokbox)
RelativeDistinguishedName item (id-at-organizationName=Tokbox)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Tokbox
RDNSequence item: 1 item (id-at-commonName=mantis.tokbox.com)
RelativeDistinguishedName item (id-at-commonName=mantis.tokbox.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: mantis.tokbox.com
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey: 30818902818100bea2170f27caed5cf16dc53f909932b869...
algorithmIdentifier (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
Padding: 0
encrypted: ae89516a687d33a7ec9c75a66921bca1ae0e7e60586c58e2...
DTLSv1.0 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 2
Length: 211
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 199
Message Sequence: 2
Fragment Offset: 0
Fragment Length: 199
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp256r1 (0x0017)
Pubkey Length: 65
Pubkey: 0428bd3b98a7f80c4a8c276ed24a437f835e1c42e6cc61ad...
Signature Length: 128
Signature: 93f2b2753ecb4a80048b2e21826925e6ea7c46e1bd99769f...
DTLSv1.0 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 3
Length: 12
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
Message Sequence: 3
Fragment Offset: 0
Fragment Length: 0
STUN
Binding Requests
Here is the binding request, the first STUN packet. The fingerprint and transaction ID are potentials for discovery:
Session Traversal Utilities for NAT
Message Type: 0x0001 (Binding Request)
.... ...0 ...0 .... = Message Class: 0x0000
[Request (0)]
..00 000. 000. 0001 = Message Method: 0x0001
[Binding (0x001)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 8
Message Cookie: 2112a442
Message Transaction ID: 1ea1d16f0e1794e75c98f212
Attributes
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x58615c53
And here is the binding success response, coming from the STUN server to the client:
Session Traversal Utilities for NAT
Message Type: 0x0101 (Binding Success Response)
.... ...1 ...0 .... = Message Class: 0x0010
[Success Response (2)]
..00 000. 000. 0001 = Message Method: 0x0001
[Binding (0x001)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 80
Message Cookie: 2112a442
Message Transaction ID: 1ea1d16f0e1794e75c98f212
Attributes
XOR-MAPPED-ADDRESS: 192.0.2.10:38645
Attribute Type: XOR-MAPPED-ADDRESS (0x0020)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port (XOR-d): b7e7
[Port: 38645]
IP (XOR-d): 83fcba14
[IP: 192.0.2.10 (192.0.2.10)]
MAPPED-ADDRESS: 192.0.2.10:38645
Attribute Type: MAPPED-ADDRESS (0x0001)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port: 38645
IP: 192.0.2.10 (192.0.2.10)
RESPONSE-ORIGIN: 74.201.205.43:3478
Attribute Type: RESPONSE-ORIGIN (0x802b)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port: 3478
IP: 74.201.205.43 (74.201.205.43)
SOFTWARE
Attribute Type: SOFTWARE (0x8022)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 29
Software: Citrix-3.2.5.1 'Marshal West'
Padding: 3
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x0d6f9ab0
Slightly different binding request packet. This includes a username, tied to the client in the communication, and an ICE-CONTROLLING attribute:
Session Traversal Utilities for NAT
Message Type: 0x0001 (Binding Request)
.... ...0 ...0 .... = Message Class: 0x0000
[Request (0)]
..00 000. 000. 0001 = Message Method: 0x0001
[Binding (0x001)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 88
Message Cookie: 2112a442
Message Transaction ID: e23bffae1d781551e03ab4a5
Attributes
USERNAME: BEsGwY5xupyZbhln:7b4693c2
Attribute Type: USERNAME (0x0006)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 25
Username: BEsGwY5xupyZbhln:7b4693c2
Padding: 3
USE-CANDIDATE
Attribute Type: USE-CANDIDATE (0x0025)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 0
PRIORITY
Attribute Type: PRIORITY (0x0024)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
Priority: 1853686015
ICE-CONTROLLING
Attribute Type: ICE-CONTROLLING (0x802a)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Tie breaker: 456a56d73bf53ae0
MESSAGE-INTEGRITY
Attribute Type: MESSAGE-INTEGRITY (0x0008)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 20
HMAC-SHA1: 62bcd99bfabb384398611322966423550257f173
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x733a4947
And the response to that:
Session Traversal Utilities for NAT
Message Type: 0x0101 (Binding Success Response)
.... ...1 ...0 .... = Message Class: 0x0010
[Success Response (2)]
..00 000. 000. 0001 = Message Method: 0x0001
[Binding (0x001)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 44
Message Cookie: 2112a442
Message Transaction ID: e23bffae1d781551e03ab4a5
Attributes
XOR-MAPPED-ADDRESS: 192.0.2.10:38645
Attribute Type: XOR-MAPPED-ADDRESS (0x0020)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port (XOR-d): b7e7
[Port: 38645]
IP (XOR-d): 83fcba14
[IP: 192.0.2.10 (192.0.2.10)]
MESSAGE-INTEGRITY
Attribute Type: MESSAGE-INTEGRITY (0x0008)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 20
HMAC-SHA1: f5883b9e52e311242d66ed99dfb7a0a1ae49b56f
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x0bc6ce07
Allocate requests
Here is the first allocate request packet:
Session Traversal Utilities for NAT
Message Type: 0x0003 (Allocate Request)
.... ...0 ...0 .... = Message Class: 0x0000
[Request (0)]
..00 000. 000. 0011 = Message Method: 0x0003
[Allocate (0x003)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 24
Message Cookie: 2112a442
Message Transaction ID: 4dff273c1cff6d4ec5fc9292
Attributes
REQUESTED-TRANSPORT: UDP
Attribute Type: REQUESTED-TRANSPORT (0x0019)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
Transport: UDP (0x11)
Reserved: 000000
LIFETIME 3600
Attribute Type: LIFETIME (0x000d)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
Lifetime: 3600
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0xbe5775d9
And the response to the allocate request, which errors. This includes information about the server being visited:
Session Traversal Utilities for NAT
Message Type: 0x0113 (Allocate Error Response)
.... ...1 ...1 .... = Message Class: 0x0011
[Error Response (3)]
..00 000. 000. 0011 = Message Method: 0x0003
[Allocate (0x003)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 100
Message Cookie: 2112a442
Message Transaction ID: 4dff273c1cff6d4ec5fc9292
Attributes
ERROR-CODE 401 (Unauthorized): Unauthorised
Attribute Type: ERROR-CODE (0x0009)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 16
Reserved: 0000
.... .100 = Error Class: 4
Error Code: 1
Error Reason Phrase: Unauthorised
NONCE: 2e7ef3eff1331156
Attribute Type: NONCE (0x0015)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 16
Nonce: 2e7ef3eff1331156
REALM: tokbox.com
Attribute Type: REALM (0x0014)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 10
Realm: tokbox.com
Padding: 2
SOFTWARE
Attribute Type: SOFTWARE (0x8022)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 29
Software: Citrix-3.2.5.1 'Marshal West'
Padding: 3
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x2fb3b1da
Different allocate request, including username and realm (website):
Session Traversal Utilities for NAT
Message Type: 0x0003 (Allocate Request)
.... ...0 ...0 .... = Message Class: 0x0000
[Request (0)]
..00 000. 000. 0011 = Message Method: 0x0003
[Allocate (0x003)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 248
Message Cookie: 2112a442
Message Transaction ID: d468b300330fbdc123951d66
Attributes
REQUESTED-TRANSPORT: UDP
Attribute Type: REQUESTED-TRANSPORT (0x0019)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
Transport: UDP (0x11)
Reserved: 000000
LIFETIME 3600
Attribute Type: LIFETIME (0x000d)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
Lifetime: 3600
USERNAME: 1453415893:1.2_MX40NDQ0MzEyMn5-MTQ1MzMyOTQ4ODAwM345TVE2VmpDMW5KTFVpdW84K0dTL2MzNmF-fg.5bbce808-6e2b-45d2-9240-201120fc41e5.fb04c070-5be0-4642-b4c4-843d847cdc95
Attribute Type: USERNAME (0x0006)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 159
Username: 1453415893:1.2_MX40NDQ0MzEyMn5-MTQ1MzMyOTQ4ODAwM345TVE2VmpDMW5KTFVpdW84K0dTL2MzNmF-fg.5bbce808-6e2b-45d2-9240-201120fc41e5.fb04c070-5be0-4642-b4c4-843d847cdc95
Padding: 1
REALM: tokbox.com
Attribute Type: REALM (0x0014)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 10
Realm: tokbox.com
Padding: 2
NONCE: 2e7ef3eff1331156
Attribute Type: NONCE (0x0015)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 16
Nonce: 2e7ef3eff1331156
MESSAGE-INTEGRITY
Attribute Type: MESSAGE-INTEGRITY (0x0008)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 20
HMAC-SHA1: 4e46acb02cd3ad0caea87de15c5b1c50a68f5ec6
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x3e3b0e4e
And the success response:
Session Traversal Utilities for NAT
Message Type: 0x0103 (Allocate Success Response)
.... ...1 ...0 .... = Message Class: 0x0010
[Success Response (2)]
..00 000. 000. 0011 = Message Method: 0x0003
[Allocate (0x003)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 100
Message Cookie: 2112a442
Message Transaction ID: d468b300330fbdc123951d66
Attributes
XOR-RELAYED-ADDRESS: 74.201.205.43:14002
Attribute Type: XOR-RELAYED-ADDRESS (0x0016)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port (XOR-d): 17a0
[Port: 14002]
IP (XOR-d): 6bdb6969
[IP: 74.201.205.43 (74.201.205.43)]
XOR-MAPPED-ADDRESS: 192.0.2.10:38645
Attribute Type: XOR-MAPPED-ADDRESS (0x0020)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port (XOR-d): b7e7
[Port: 38645]
IP (XOR-d): 83fcba14
[IP: 192.0.2.10 (192.0.2.10)]
LIFETIME 3600
Attribute Type: LIFETIME (0x000d)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
Lifetime: 3600
SOFTWARE
Attribute Type: SOFTWARE (0x8022)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 29
Software: Citrix-3.2.5.1 'Marshal West'
Padding: 3
MESSAGE-INTEGRITY
Attribute Type: MESSAGE-INTEGRITY (0x0008)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 20
HMAC-SHA1: 5d58469abd4b33c21f5801752ba0aebfa33e6e15
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x5cf4e5c7
Create Permission Requests
Session Traversal Utilities for NAT
Message Type: 0x0008 (CreatePermission Request)
.... ...0 ...0 .... = Message Class: 0x0000
[Request (0)]
..00 000. 000. 1000 = Message Method: 0x0008
[CreatePermission (0x008)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 244
Message Cookie: 2112a442
Message Transaction ID: 78455a7886a48015f059e05b
Attributes
XOR-PEER-ADDRESS: 74.201.205.3:26103
Attribute Type: XOR-PEER-ADDRESS (0x0012)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port (XOR-d): 44e5
[Port: 26103]
IP (XOR-d): 6bdb6941
[IP: 74.201.205.3 (74.201.205.3)]
USERNAME: 1453415916:1.2_MX40NDQ0MzEyMn5-MTQ1MzMyOTQ4ODAwM345TVE2VmpDMW5KTFVpdW84K0dTL2MzNmF-fg.31f8dacc-294e-4b44-87c7-c6bf1d50a64a.7f085edd-49f5-4e45-ac04-76fee77527ca
Attribute Type: USERNAME (0x0006)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 159
Username: 1453415916:1.2_MX40NDQ0MzEyMn5-MTQ1MzMyOTQ4ODAwM345TVE2VmpDMW5KTFVpdW84K0dTL2MzNmF-fg.31f8dacc-294e-4b44-87c7-c6bf1d50a64a.7f085edd-49f5-4e45-ac04-76fee77527ca
Padding: 1
REALM: tokbox.com
Attribute Type: REALM (0x0014)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 10
Realm: tokbox.com
Padding: 2
NONCE: 37897cf24e67560f
Attribute Type: NONCE (0x0015)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 16
Nonce: 37897cf24e67560f
MESSAGE-INTEGRITY
Attribute Type: MESSAGE-INTEGRITY (0x0008)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 20
HMAC-SHA1: 85480b4f3c426600faf1ff50c089ad128debdc3a
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0x5bc32170
And the response:
Session Traversal Utilities for NAT
Message Type: 0x0108 (CreatePermission Success Response)
.... ...1 ...0 .... = Message Class: 0x0010
[Success Response (2)]
..00 000. 000. 1000 = Message Method: 0x0008
[CreatePermission (0x008)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 68
Message Cookie: 2112a442
Message Transaction ID: 78455a7886a48015f059e05b
Attributes
SOFTWARE
Attribute Type: SOFTWARE (0x8022)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 29
Software: Citrix-3.2.5.1 'Marshal West'
Padding: 3
MESSAGE-INTEGRITY
Attribute Type: MESSAGE-INTEGRITY (0x0008)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 20
HMAC-SHA1: 0cf9c934b676a82a7ecd48a5aed5c9ff56a47639
FINGERPRINT
Attribute Type: FINGERPRINT (0x8028)
1... .... .... .... = Attribute Type Comprehension: 0x0001
[Optional (1)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 4
CRC-32: 0xdc967696
Send Indication
Looks like the dissection fails around the DATA part?
Session Traversal Utilities for NAT
Message Type: 0x0016 (Send Indication)
.... ...0 ...1 .... = Message Class: 0x0001
[Indication (1)]
..00 000. 000. 0110 = Message Method: 0x0006
[Send (0x006)]
..0. .... .... .... = Message Method Assignment: 0x0000
[IETF Review (0)]
Message Length: 132
Message Cookie: 2112a442
Message Transaction ID: 5d7f4e81a326a56af8613788
Attributes
XOR-PEER-ADDRESS: 74.201.205.3:26103
Attribute Type: XOR-PEER-ADDRESS (0x0012)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 8
Reserved: 00
Protocol Family: IPv4 (0x01)
Port (XOR-d): 44e5
[Port: 26103]
IP (XOR-d): 6bdb6941
[IP: 74.201.205.3 (74.201.205.3)]
DATA
Attribute Type: DATA (0x0013)
0... .... .... .... = Attribute Type Comprehension: 0x0000
[Required (0)]
.0.. .... .... .... = Attribute Type Assignment: 0x0000
[IETF Review (0)]
Attribute Length: 108
Value: 000100582112a4422bb822ea46b85810b300a8aa00060019...
Trivial File Transfer Protocol
[Source File: ]
Opcode: Read Request (1)
Source File:
Type: X!\022\357\277\275B+\357\277\275"\357\277\275F\357\277\275X\020\357\277\275
Option: \250\252\000 = \006\000
Option name: \357\277\275\357\277\275
Option value: \006
Option: \031BVvJ5yJLt6HIDQQN:be827ba2\000 = \000
Option name: \031BVvJ5yJLt6HIDQQN:be827ba2
Option value:
Option: \000 = \000
Option name:
Option value:
Option: %\000 = \000
Option name: %
Option value:
Option: \000 = $\000
Option name:
Option value: $
Option: \004n}\000 = \377\200*\000
Option name: \004n}
Option value: \357\277\275\357\277\275*
Option: \b\210f\217\326H\216h\374\000 = \b\000
Option name: \b\357\277\275f\357\277\275\357\277\275H\357\277\275h\357\277\275
Option value: \b
[Malformed Packet: TFTP]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]