diff --git a/CHANGES b/CHANGES index 76b2af2dec..f80cbad8cf 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,27 @@ +6.2.0-dev.487 | 2024-01-30 21:47:06 +0100 + + * quic: Log client's source connection id, too. (Arne Welzel, Corelight) + + Seem reasonable give we log the server SCID. Interestingly, the Chromium + examples actually have zero length (empty) source connection IDs. I wonder + if that's part of their "protocol ossification avoidance" effort. + + * quic: Continue decryption attempts for later INITIAL packets (Arne Welzel, Corelight) + + The original logic stopped decrypting any INITIAL packets after the + first. The Firefox/cloudflare pcaps actually show that the server + replies with a QUIC INITAL packet containing just ACK frames and no + CRYPTO frames. Only the second QUIC INITIAL packet from the server + then contains the CRYPTO frames. + + There's no good reason to stop decryption attempts, either we succeed + down the road and then stop, or we fail and raise analyzer violations. + + * quic: Rename set_conn() to set_session() (Arne Welzel, Corelight) + + set_conn() should be about the c$conn record. Most other base scripts + for protocols use set_session(), so do the same. + 6.2.0-dev.483 | 2024-01-29 10:30:06 +0100 * Bump Spicy to current `main`. (Robin Sommer, Corelight) diff --git a/VERSION b/VERSION index 2d77a80bd9..d40b2637fc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.2.0-dev.483 +6.2.0-dev.487 diff --git a/scripts/base/protocols/quic/main.zeek b/scripts/base/protocols/quic/main.zeek index 9a119c3f6a..387bd53870 100644 --- a/scripts/base/protocols/quic/main.zeek +++ b/scripts/base/protocols/quic/main.zeek @@ -27,10 +27,13 @@ export { ## by client and server. client_initial_dcid: string &log &optional; + ## Client's Source Connection ID from the first INITIAL packet. + client_scid: string &log &optional; + ## Server chosen Connection ID usually from server's first ## INITIAL packet. This is to be used by the client in ## subsequent packets. - server_scid: string &log &optional; + server_scid: string &log &optional; ## Server name extracted from SNI extension in ClientHello ## packet if available. @@ -105,7 +108,7 @@ function log_record(quic: Info) quic$logged = T; } -function set_conn(c: connection, is_orig: bool, version: count, dcid: string, scid: string) +function set_session(c: connection, is_orig: bool, version: count, dcid: string, scid: string) { if ( ! c?$quic ) { @@ -122,25 +125,27 @@ function set_conn(c: connection, is_orig: bool, version: count, dcid: string, sc if ( is_orig && |dcid| > 0 && ! c$quic?$client_initial_dcid ) c$quic$client_initial_dcid = bytestring_to_hexstr(dcid); - if ( ! is_orig && |scid| > 0 ) + if ( is_orig ) + c$quic$client_scid = bytestring_to_hexstr(scid); + else c$quic$server_scid = bytestring_to_hexstr(scid); } event QUIC::initial_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string) { - set_conn(c, is_orig, version, dcid, scid); + set_session(c, is_orig, version, dcid, scid); add_to_history(c, is_orig, "INIT"); } event QUIC::handshake_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string) { - set_conn(c, is_orig, version, dcid, scid); + set_session(c, is_orig, version, dcid, scid); add_to_history(c, is_orig, "HANDSHAKE"); } event QUIC::zero_rtt_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string) { - set_conn(c, is_orig, version, dcid, scid); + set_session(c, is_orig, version, dcid, scid); add_to_history(c, is_orig, "ZeroRTT"); } @@ -148,7 +153,7 @@ event QUIC::zero_rtt_packet(c: connection, is_orig: bool, version: count, dcid: event QUIC::retry_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string, retry_token: string, integrity_tag: string) { if ( ! c?$quic ) - set_conn(c, is_orig, version, dcid, scid); + set_session(c, is_orig, version, dcid, scid); add_to_history(c, is_orig, "RETRY"); @@ -161,7 +166,7 @@ event QUIC::retry_packet(c: connection, is_orig: bool, version: count, dcid: str event QUIC::unhandled_version(c: connection, is_orig: bool, version: count, dcid: string, scid: string) { if ( ! c?$quic ) - set_conn(c, is_orig, version, dcid, scid); + set_session(c, is_orig, version, dcid, scid); add_to_history(c, is_orig, "UNHANDLED_VERSION"); diff --git a/src/analyzer/protocol/quic/QUIC.spicy b/src/analyzer/protocol/quic/QUIC.spicy index d6522c8e93..84557c9c19 100644 --- a/src/analyzer/protocol/quic/QUIC.spicy +++ b/src/analyzer/protocol/quic/QUIC.spicy @@ -528,7 +528,8 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { from_client ); - # Set this to be the seed for the decryption + # Assuming that the client set up the connection, this can be considered the first + # received Initial from the client. So disable change of ConnectionID's afterwards if ( |context.initial_destination_conn_id| == 0 ) { context.initial_destination_conn_id = self.long_header.dest_conn_id; } @@ -537,8 +538,6 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { context.server_cid_len = self.long_header.src_conn_id_len; context.client_cid_len = self.long_header.dest_conn_id_len; - # Assuming that the client set up the connection, this can be considered the first - # received Initial from the client. So disable change of ConnectionID's afterwards self.decrypted_data = decrypt_crypto_payload( self.long_header.version, self.all_data, @@ -554,15 +553,6 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { # connection. if ( |self.decrypted_data| == 0 ) throw "decryption failed"; - - # If this was a reply from the server and it's not a RETRY, we assume the keys - # are restablished and decryption is no longer possible - # - # TODO: verify if this is actually correct per RFC - if ( ! self.long_header.is_retry && ! from_client ) { - context.server_initial_processed = True; - context.client_initial_processed = True; - } } # Depending on the type of header and whether we were able to decrypt @@ -594,8 +584,8 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { @endif ); - # Stop decryption attempts after processing the very first - # INITIAL packet. + # Stop decryption attempts after processing the very first INITIAL + # INITIAL packet for which we forwarded data to the SSL analyzer. if ( from_client ) context.client_initial_processed = True; else diff --git a/testing/btest/Baseline/coverage.record-fields/out.default b/testing/btest/Baseline/coverage.record-fields/out.default index 37d4a8083f..25aec2b3c8 100644 --- a/testing/btest/Baseline/coverage.record-fields/out.default +++ b/testing/btest/Baseline/coverage.record-fields/out.default @@ -513,6 +513,7 @@ connection { QUIC::Info { * client_initial_dcid: string, log=T, optional=T * client_protocol: string, log=T, optional=T + * client_scid: string, log=T, optional=T * history: string, log=T, optional=T * history_state: vector of string, log=F, optional=F * id: record conn_id, log=T, optional=F diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log index bd6779533d..ecaaed9815 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log @@ -5,7 +5,7 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 d5412c47018cdfe8 api.cirrus-ci.com h3 ISisH +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISisH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/quic.log index 542adce553..29f634519b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/quic.log @@ -5,7 +5,7 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.2 34347 64.233.166.94 443 1 815d62c70884f4b51e8ccadd5beed372 c15d62c70884f4b5 www.google.de h3 ISishIhHhhH +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.2 34347 64.233.166.94 443 1 815d62c70884f4b51e8ccadd5beed372 e5ec6b26584229be98a164349ae910351c40d10b c15d62c70884f4b5 www.google.de h3 ISishIhHhhH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/quic.log index 52adeb99f5..c009ab178e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/quic.log @@ -5,7 +5,7 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 44174 250.58.23.113 443 1 c5a5015ae8f479784a 01275b138ee6aca8a6276b132ae6b3547cf7773f blog.cloudflare.com h3 ISiihIhhhHHhHH +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 44174 250.58.23.113 443 1 c5a5015ae8f479784a 34696c 01275b138ee6aca8a6276b132ae6b3547cf7773f blog.cloudflare.com h3 ISiishIhhhHHhHH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/ssl.log b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/ssl.log index fec40bbf3a..5be2b06f44 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/ssl.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert #types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 44174 250.58.23.113 443 - - - blog.cloudflare.com F - - F C - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 44174 250.58.23.113 443 TLSv13 TLS_AES_128_GCM_SHA256 x25519 blog.cloudflare.com F - - F Cs - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log index 621bb65d9e..23623d6a05 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log @@ -5,7 +5,7 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 5911deff server4:443 hq-interop ISishIH +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log index 69bd69a8a4..74e8b2a29a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log @@ -5,8 +5,8 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 4a8294bf9201d6cf - server4:443 hq-interop ISr -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 fc674735 server4:443 hq-interop ISishIH +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 4a8294bf9201d6cf (empty) - server4:443 hq-interop ISr +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log index 1f577da785..6884c599e4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log @@ -5,8 +5,8 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc e483a751 server4:443 hq-interop ISZisZZZZZZZZZZZZZZZZZZZZZZZZZZZIH -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 8d2041ac server4:443 hq-interop ISishIH +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZisZZZZZZZZZZZZZZZZZZZZZZZZZZZIH +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quic-log/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quic-log/quic.log index 514d70c870..01df8348a1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quic-log/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quic-log/quic.log @@ -5,7 +5,7 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 669b:cb7a:de99:6a13:4a9b:46ef:3bed:cb6c 57538 6699:ded3:da8c:be73:5a99:ca73:5a99:cadb 443 1 5a37463b0eb7cc5d da37463b0eb7cc5d www.google.de h3 ISishIhHhhHH +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 669b:cb7a:de99:6a13:4a9b:46ef:3bed:cb6c 57538 6699:ded3:da8c:be73:5a99:ca73:5a99:cadb 443 1 5a37463b0eb7cc5d (empty) da37463b0eb7cc5d www.google.de h3 ISishIhHhhHH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log index 3cc5f1b42e..ff45b6d535 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log @@ -5,7 +5,7 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 a31f4933d8727231 - doq ISishH +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log index 2680a6b719..d5dfb05bc4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log @@ -5,7 +5,7 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 b168b5cc localhost quic-echo-example ISIIisIH +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIisIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log index c02fd62fa8..f7b06b5570 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log @@ -5,7 +5,7 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b cdc8b6e6 - h3 ISishIHH +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishIHH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.vector-max-size-crash/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.vector-max-size-crash/quic.log index eaccf8f7f2..7c8ea060b6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.vector-max-size-crash/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.vector-max-size-crash/quic.log @@ -5,7 +5,7 @@ #unset_field - #path quic #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid server_scid server_name client_protocol history -#types time string addr port addr port string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.2.3.4 45492 7.7.7.7 443 unknown-10010000 00 - - - U +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.2.3.4 45492 7.7.7.7 443 unknown-10010000 00 (empty) - - - U #close XXXX-XX-XX-XX-XX-XX