Merge pull request #28 from LeeBrotherston/json_out

Logging Changes
LeeBrotherston · Mar 7, 2016 · 48338ba · 48338ba
2 parents 49a6a53 + 2900b96
commit 48338ba
Show file tree

Hide file tree

Showing 6 changed files with 202 additions and 16 deletions.
diff --git a/fingerprintls/fingerprintls.c b/fingerprintls/fingerprintls.c
@@ -73,7 +73,8 @@ void print_usage(char *bin_name) {
 	fprintf(stderr, "    -p <pcap file>    Read packets from specified pcap file\n");
 //	fprintf(stderr, "    -P <pcap file>    Save packets to specified pcap file for unknown fingerprints\n");
 	fprintf(stderr, "    -j <json file>    Output JSON fingerprints\n");
-	fprintf(stderr, "    -s                Output JSON signatures of unknown connections to stdout\n");
+	fprintf(stderr, "    -l <log file>     Output logfile (JSON format)\n");
+//	fprintf(stderr, "    -s                Output JSON signatures of unknown connections to stdout\n");  // Comment this out as I'm trying to deprecate this
 	fprintf(stderr, "    -d                Show reasons for discarded packets (post BPF)\n");
 	fprintf(stderr, "    -f <fpdb>         Load the (binary) FingerPrint Database\n");
 	fprintf(stderr, "    -u <uid>          Drop privileges to specified UID (not username)\n");
@@ -92,13 +93,13 @@ int main(int argc, char **argv) {
 	char *unpriv_user = NULL;							/* User for dropping privs */
 	char errbuf[PCAP_ERRBUF_SIZE];				/* error buffer */
 	extern pcap_t *handle;								/* packet capture handle */
-	extern pcap_t *output_handle;					/* output to pcap handle */
+//	extern pcap_dumper_t *output_handle;					/* output to pcap handle */
 
 	char *filter_exp = default_filter;
 	int arg_start = 1, i;
 	extern struct bpf_program fp;					/* compiled filter program (expression) */
 
-	extern FILE *json_fd, *fpdb_fd;
+	extern FILE *json_fd, *fpdb_fd, *log_fd;
 	int filesize;
 	uint8_t *fpdb_raw = NULL;
 	int	fp_count = 0;
@@ -108,7 +109,8 @@ int main(int argc, char **argv) {
 
 
 	/* Make sure pipe sees new packets unbuffered. */
-	setvbuf(stdout, (char *)NULL, _IOLBF, 0);
+	//setvbuf(stdout, (char *)NULL, _IOLBF, 0);
+	setlinebuf(stdout);
 
 	if (argc == 1) {
 		print_usage(argv[0]);
@@ -133,9 +135,18 @@ int main(int argc, char **argv) {
 				printf("Reading from file: %s\n", argv[i]);
 				break;
 			case 'P':
-				/* Open the file */
-				handle = pcap_open_offline(argv[++i], errbuf);
-				printf("Reading from file: %s\n", argv[i]);
+				/* Open existing file to append */
+//				output_handle = pcap_dump_open_append(argv[++i], errbuf);
+				/* That failed, try creating a new one */
+//				if(output_handle == NULL) {
+//					output_handle = pcap_dump_open(argv[i], errbuf);
+//				}
+//				if(output_handle == NULL) {
+//					printf("Problem writing output pcap: %s\n", errbuf);
+//					exit (-1);
+//				} else {
+//					printf("Writing samples to file: %s\n", argv[i]);
+//				}
 				break;
 			case 'i':
 				/* Open the interface */
@@ -145,15 +156,25 @@ int main(int argc, char **argv) {
 					exit(-1);
 				}
 				handle = pcap_open_live(argv[++i], SNAP_LEN, 1, 1000, errbuf);
-				printf("Using interface: %s\n", argv[i]);
+				printf("Using interface: \033[1;36m%s\033[1;m\n", argv[i]);
 				break;
 			case 'j':
 				/* JSON output to file */
 				if((json_fd = fopen(argv[++i], "a")) == NULL) {
 					printf("Cannot open JSON file for output\n");
 					exit(-1);
 				}
-				setvbuf(json_fd, (char *)NULL, _IOLBF, 0);
+				// Buffering is fine, but linebuf needed for tailers to work properly
+				setlinebuf(json_fd);
+				break;
+			case 'l':
+				/* Output to log file */
+				if((log_fd = fopen(argv[++i], "a")) == NULL) {
+					printf("Cannot open log file for output\n");
+					exit(-1);
+				}
+				// Buffering is fine, but linebuf needed for tailers to work properly
+				setlinebuf(log_fd);
 				break;
 			case 's':
 				/* JSON output to stdout */

diff --git a/fingerprintls/fingerprintls.h b/fingerprintls/fingerprintls.h
@@ -214,13 +214,15 @@ int newsig_count;
 int show_drops;
 FILE *json_fd = NULL;
 FILE *fpdb_fd = NULL;
+FILE *log_fd = NULL;
+
 struct fingerprint_new *search[8][4];
 char hostname[HOST_NAME_MAX];			/* store the hostname once to save multiple lookups */
 
 
 /* These were in main, but this let's the signal handler close as needed */
 pcap_t *handle = NULL;						/* packet capture handle */
-pcap_t *output_handle = NULL;					/* output to pcap handle */
+//pcap_dumper_t *output_handle = NULL;					/* output to pcap handle */
 
 struct bpf_program fp;					/* compiled filter program (expression) */
 /* --------------------------------------------------------------------- */

diff --git a/fingerprintls/packet_processing.c b/fingerprintls/packet_processing.c
@@ -15,7 +15,7 @@ void got_packet(u_char *args, const struct pcap_pkthdr *pcap_header, const u_cha
 		/* Variables, gotta have variables, and structs and pointers....  and things */
 		/* ************************************************************************* */
 
-		extern FILE *json_fd;
+		extern FILE *json_fd, *log_fd;
 		extern int newsig_count;
 		extern char hostname[HOST_NAME_MAX];
 
@@ -39,6 +39,7 @@ void got_packet(u_char *args, const struct pcap_pkthdr *pcap_header, const u_cha
 		struct fingerprint_new *fp_nav;			/* For navigating the fingerprint database */
 		static struct fingerprint_new *fp_packet = NULL;			/* Generated fingerprint for incoming packet */
 		static uint16_t	extensions_malloc = 0;							/* how much is currently allocated for the extensions field */
+		extern pcap_dumper_t *output_handle;					/* output to pcap handle */
 
 		/* pointers to key places in the packet headers */
 		struct ether_header *ethernet;	/* The ethernet header [1] */
@@ -565,6 +566,7 @@ void got_packet(u_char *args, const struct pcap_pkthdr *pcap_header, const u_cha
 
 					/* Whole criteria match.... woo! */
 					matchcount++;
+					/*
 					fprintf(stdout, "[%s] Fingerprint Matched: \"%.*s\" %s connection from %s:%i to ", printable_time, fp_nav->desc_length ,fp_nav->desc, ssl_version(fp_nav->tls_version),
 						src_address_buffer, ntohs(tcp->th_sport));
 					fprintf(stdout, "%s:%i ", dst_address_buffer, ntohs(tcp->th_dport));
@@ -579,12 +581,100 @@ void got_packet(u_char *args, const struct pcap_pkthdr *pcap_header, const u_cha
 					}
 					fprintf(stdout, "\"");
 					if(matchcount > 1)
-						/* This shouldn't happen, but is useful to debug duplicate fingerprints */
-
-						/* May disable this for speed optimisation (or make it configurable) */
-
 						fprintf(stdout, "(Multiple Match)");
 					fprintf(stdout, "\n");
+					*/
+					/*
+					 * New output format.  JSON to allow easier automated parsing.
+					 */
+					 fprintf(log_fd, "{ "); // May need more header to define type?
+					 fprintf(log_fd, "\"timestamp\": \"%s\", ", printable_time);
+					 fprintf(log_fd, "\"event\": \"fingerprint_match\", ");
+
+					 fprintf(log_fd, "\"ip_version\": ");
+					 switch(ip_version) {
+						 case 4:
+						 	/* IPv4 */
+							fprintf(log_fd, "\"ipv4\", ");
+							inet_ntop(AF_INET,(void*)&ipv4->ip_src,src_address_buffer,sizeof(src_address_buffer));
+							inet_ntop(AF_INET,(void*)&ipv4->ip_dst,dst_address_buffer,sizeof(dst_address_buffer));
+							fprintf(log_fd, "\"ipv4_src\": \"%s\", ", src_address_buffer);
+							fprintf(log_fd, "\"ipv4_dst\": \"%s\", ", dst_address_buffer);
+
+							fprintf(log_fd, "\"src_port\": %hu, ", ntohs(tcp->th_sport));
+							fprintf(log_fd, "\"dst_port\": %hu, ", ntohs(tcp->th_dport));
+
+							break;
+						 case 6:
+						 	/* IPv6 */
+							fprintf(log_fd, "\"ipv6\", ");
+							inet_ntop(AF_INET6,(void*)&ipv6->ip6_src,src_address_buffer,sizeof(src_address_buffer));
+							inet_ntop(AF_INET6,(void*)&ipv6->ip6_dst,dst_address_buffer,sizeof(dst_address_buffer));
+							fprintf(log_fd, "\"ipv6_src\": \"%s\", ", src_address_buffer);
+							fprintf(log_fd, "\"ipv6_dst\": \"%s\", ", dst_address_buffer);
+
+							fprintf(log_fd, "\"src_port\": %hu, ", ntohs(tcp->th_sport));
+							fprintf(log_fd, "\"dst_port\": %hu, ", ntohs(tcp->th_dport));
+							break;
+						 case 7:
+						 	/*
+							 * Teredo.  As this is an IPv6 within IPv4 tunnel, both sets of address are logged.
+							 * The field names remain the same for ease of reporting on "all traffic from X" type
+							 * scenarios, however the "ip_version" field makes it clear that this is an encapsulted
+							 * tunnel.
+							 */
+							fprintf(log_fd, "\"teredo\", ");
+							inet_ntop(AF_INET,(void*)&ipv4->ip_src,src_address_buffer,sizeof(src_address_buffer));
+							inet_ntop(AF_INET,(void*)&ipv4->ip_dst,dst_address_buffer,sizeof(dst_address_buffer));
+							fprintf(log_fd, "\"ipv4_src\": \"%s\", ", src_address_buffer);
+							fprintf(log_fd, "\"ipv4_dst\": \"%s\", ", dst_address_buffer);
+							inet_ntop(AF_INET6,(void*)&ipv6->ip6_src,src_address_buffer,sizeof(src_address_buffer));
+							inet_ntop(AF_INET6,(void*)&ipv6->ip6_dst,dst_address_buffer,sizeof(dst_address_buffer));
+							fprintf(log_fd, "\"ipv6_src\": \"%s\", ", src_address_buffer);
+							fprintf(log_fd, "\"ipv6_dst\": \"%s\", ", dst_address_buffer);
+
+							fprintf(log_fd, "\"src_port\": %hu, ", ntohs(tcp->th_sport));
+							fprintf(log_fd, "\"dst_port\": %hu, ", ntohs(tcp->th_dport));
+
+							/* Add in ports of the outer Teredo tunnel? */
+
+							break;
+						 case 8:
+						 	/*
+							 * 6in4. 	As this is an IPv6 within IPv4 tunnel, both sets of address are logged.
+							 * The field names remain the same for ease of reporting on "all traffic from X" type
+							 * scenarios, however the "ip_version" field makes it clear that this is an encapsulted
+							 * tunnel.
+							 */
+							fprintf(log_fd, "\"6in4\", ");
+							inet_ntop(AF_INET,(void*)&ipv4->ip_src,src_address_buffer,sizeof(src_address_buffer));
+							inet_ntop(AF_INET,(void*)&ipv4->ip_dst,dst_address_buffer,sizeof(dst_address_buffer));
+							fprintf(log_fd, "\"ipv4_src\": \"%s\", ", src_address_buffer);
+							fprintf(log_fd, "\"ipv4_dst\": \"%s\", ", dst_address_buffer);
+							inet_ntop(AF_INET6,(void*)&ipv6->ip6_src,src_address_buffer,sizeof(src_address_buffer));
+							inet_ntop(AF_INET6,(void*)&ipv6->ip6_dst,dst_address_buffer,sizeof(dst_address_buffer));
+							fprintf(log_fd, "\"ipv6_src\": \"%s\", ", src_address_buffer);
+							fprintf(log_fd, "\"ipv6_dst\": \"%s\", ", dst_address_buffer);
+
+							fprintf(log_fd, "\"src_port\": %hu, ", ntohs(tcp->th_sport));
+							fprintf(log_fd, "\"dst_port\": %hu, ", ntohs(tcp->th_dport));
+							break;
+					 }
+
+					 fprintf(log_fd, "\"tls_version\": \"%s\", ", ssl_version(fp_nav->tls_version));
+					 fprintf(log_fd, "\"fingerprint_desc\": \"%.*s\", ", fp_nav->desc_length, fp_nav->desc);
+
+					 fprintf(log_fd, "\"server_name\": \"");
+
+					 if(server_name != NULL) {
+ 						for (arse = 7 ; arse <= (server_name[0]*256 + server_name[1]) + 1 ; arse++) {
+ 							if (server_name[arse] > 0x20 && server_name[arse] < 0x7b)
+ 								fprintf(log_fd, "%c", server_name[arse]);
+ 						}
+ 					}
+
+					fprintf(log_fd, "\" }\n");
+
 			} else {
 				// Fuzzy Match goes here (if we ever want it)
 
@@ -596,6 +686,13 @@ void got_packet(u_char *args, const struct pcap_pkthdr *pcap_header, const u_cha
 
 
 		if(matchcount == 0) {
+			/* Write to unknown fingerprint pcap file (if opened already) */
+//			if(output_handle != NULL) {
+				//pcap_dump(output_handle, pcap_header, packet);
+//			}
+
+
+
 			/*
 				OK, we're setting up a signature, let's  actually do some memory fun
 			*/

diff --git a/fingerprintls/tlsfp.db b/fingerprintls/tlsfp.db
diff --git a/fingerprints/fingerprints.json b/fingerprints/fingerprints.json
@@ -251,9 +251,12 @@
 {"id": 0, "desc": "Wii-U", "record_tls_version": "0x0301", "tls_version": "0x0301", "ciphersuite_length": "0x003C", "ciphersuite": "0xC014 0xC00A 0x0039 0xC00F 0xC005 0x0035 0xC012 0xC008 0x0016 0xC00D 0xC003 0x000A 0xC013 0xC009 0x0033 0xC00E 0xC004 0x002F 0xC011 0xC007 0xC00C 0xC002 0x0005 0x0004 0x0015 0x0009 0x0014 0x0008 0x0003 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x000B 0x000A ", "e_curves": "0x0001 0x0002 0x0003 0x0004 0x0005 0x0006 0x0007 0x0008 0x0009 0x000A 0x000B 0x000C 0x000D 0x000E 0x000F 0x0010 0x0011 0x0012 0x0013 0x0014 0x0015 0x0016 0x0017 0x0018 0x0019 ", "sig_alg": "", "ec_point_fmt": "0x00 0x01 0x02"}
 {"id": 0, "desc": "Glympse Location Tracking??", "record_tls_version": "0x0301", "tls_version": "0x0301", "ciphersuite_length": "0x005A", "ciphersuite": "0xC014 0xC00A 0x0039 0x0038 0x0088 0x0087 0xC00F 0xC005 0x0035 0x0084 0xC013 0xC009 0x0033 0x0032 0x009A 0x0099 0x0045 0x0044 0xC00E 0xC004 0x002F 0x0096 0x0041 0xC011 0xC007 0xC00C 0xC002 0x0005 0x0004 0xC012 0xC008 0x0016 0x0013 0xC00D 0xC003 0x000A 0x0015 0x0012 0x0009 0x0014 0x0011 0x0008 0x0006 0x0003 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x000B 0x000A 0x0023 ", "e_curves": "0x000E 0x000D 0x0019 0x000B 0x000C 0x0018 0x0009 0x000A 0x0016 0x0017 0x0008 0x0006 0x0007 0x0014 0x0015 0x0004 0x0005 0x0012 0x0013 0x0001 0x0002 0x0003 0x000F 0x0010 0x0011 ", "sig_alg": "", "ec_point_fmt": "0x00 0x01 0x02"}
 {"id": 0, "desc": "Windows 10 Native Connection", "record_tls_version": "0x0303", "tls_version": "0x0303", "ciphersuite_length": "0x0034", "ciphersuite": "0xC02C 0xC02B 0xC030 0xC02F 0x009F 0x009E 0xC024 0xC023 0xC028 0xC027 0xC00A 0xC009 0xC014 0xC013 0x009D 0x009C 0x003D 0x003C 0x0035 0x002F 0x000A 0x006A 0x0040 0x0038 0x0032 0x0013", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x0005 0x000A 0x000B 0x000D 0x0023 0x0017 0xFF01 ", "e_curves": "0x0017 0x0018 ", "sig_alg": "0x0401 0x0501 0x0201 0x0403 0x0503 0x0203 0x0202 0x0601 0x0603 ", "ec_point_fmt": "0x00"}
-{"id": 0, "desc": "PubNub data stream #1", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x0028", "ciphersuite": "0xC02B 0xC02C 0xC02F 0xC030 0x009E 0x009F 0xC009 0xC00A 0xC013 0xC014 0x0033 0x0039 0xC007 0xC011 0x009C 0x009D 0x002F 0x0035 0x0005 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x0017 0x0023 0x000D 0x0010 0x000B 0x000A 0x0015 ", "e_curves": "0x0017 0x0018 0x0019 ", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203 ", "ec_point_fmt": "0x00"}
+{"id": 0, "desc": "PubNub data stream #1 & Apteligent", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x0028", "ciphersuite": "0xC02B 0xC02C 0xC02F 0xC030 0x009E 0x009F 0xC009 0xC00A 0xC013 0xC014 0x0033 0x0039 0xC007 0xC011 0x009C 0x009D 0x002F 0x0035 0x0005 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x0017 0x0023 0x000D 0x0010 0x000B 0x000A 0x0015 ", "e_curves": "0x0017 0x0018 0x0019 ", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203 ", "ec_point_fmt": "0x00"}
 {"id": 0, "desc": "PubNub data stream #2", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x0028", "ciphersuite": "0xC02B 0xC02C 0xC02F 0xC030 0x009E 0x009F 0xC009 0xC00A 0xC013 0xC014 0x0033 0x0039 0xC007 0xC011 0x009C 0x009D 0x002F 0x0035 0x0005 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x0017 0x0023 0x000D 0x0010 0x000B 0x000A ", "e_curves": "0x0017 0x0018 0x0019 ", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203 ", "ec_point_fmt": "0x00"}
 {"id": 0, "desc": "Blackberry", "record_tls_version": "0x0301", "tls_version": "0x0301", "ciphersuite_length": "0x005A", "ciphersuite": "0xC014 0xC00A 0x0039 0x0038 0x0088 0x0087 0xC00F 0xC005 0x0035 0x0084 0xC013 0xC009 0x0033 0x0032 0x009A 0x0099 0x0045 0x0044 0xC00E 0xC004 0x002F 0x0096 0x0041 0xC011 0xC007 0xC00C 0xC002 0x0005 0x0004 0xC012 0xC008 0x0016 0x0013 0xC00D 0xC003 0x000A 0x0015 0x0012 0x0009 0x0014 0x0011 0x0008 0x0006 0x0003 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x000B 0x000A ", "e_curves": "0x000E 0x000D 0x0019 0x000B 0x000C 0x0018 0x0009 0x000A 0x0016 0x0017 0x0008 0x0006 0x0007 0x0014 0x0015 0x0004 0x0005 0x0012 0x0013 0x0001 0x0002 0x0003 0x000F 0x0010 0x0011 ", "sig_alg": "", "ec_point_fmt": "0x00 0x01 0x02"}
 {"id": 0, "desc": "BlackBerry Browser (Tested BB10)", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x006C", "ciphersuite": "0xC02C 0xC030 0xC02B 0xC02F 0xC024 0xC00A 0xC028 0xC014 0xC023 0xC009 0xC027 0xC013 0xC008 0xC012 0x009F 0x00A3 0x009E 0x00A2 0x006B 0x0039 0x006A 0x0038 0x0067 0x0033 0x0040 0x0032 0xC02E 0xC032 0xC02D 0xC031 0xC026 0xC005 0xC02A 0xC00F 0xC025 0xC004 0xC029 0xC00E 0xC003 0xC00D 0x009D 0x009C 0x003D 0x0035 0x003C 0x002F 0xC011 0xC007 0xC00C 0xC002 0x0005 0x0004 0x000A 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x000B 0x000A 0x0023 0x000D 0x0005 0x0015 ", "e_curves": "0x0019 0x0018 0x0009 0x0017 0x0013 0x0001 ", "sig_alg": "0x0601 0x0602 0x0603 0x0501 0x0502 0x0503 0x0401 0x0402 0x0403 0x0301 0x0302 0x0303 0x0201 0x0202 0x0203 ", "ec_point_fmt": "0x00 0x01 0x02"}
 {"id": 0, "desc": "Candy Crush (testing iOS 8.3)", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x0082", "ciphersuite": "0xC030 0xC02C 0xC028 0xC024 0xC014 0xC00A 0x00A3 0x009F 0x006B 0x006A 0x0039 0x0038 0x0088 0x0087 0xC032 0xC02E 0xC02A 0xC026 0xC00F 0xC005 0x009D 0x003D 0x0035 0x0084 0xC02F 0xC02B 0xC027 0xC023 0xC013 0xC009 0x00A2 0x009E 0x0067 0x0040 0x0033 0x0032 0x0045 0x0044 0xC031 0xC02D 0xC029 0xC025 0xC00E 0xC004 0x009C 0x003C 0x002F 0x0041 0xC011 0xC007 0xC00C 0xC002 0x0005 0x0004 0xC012 0xC008 0x0016 0x0013 0xC00D 0xC003 0x000A 0x0015 0x0012 0x0009 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x000B 0x000A 0x000D 0x000F 0x0015 ", "e_curves": "0x000E 0x000D 0x0019 0x000B 0x000C 0x0018 0x0009 0x000A 0x0016 0x0017 0x0008 0x0006 0x0007 0x0014 0x0015 0x0004 0x0005 0x0012 0x0013 0x0001 0x0002 0x0003 0x000F 0x0010 0x0011 ", "sig_alg": "0x0601 0x0602 0x0603 0x0501 0x0502 0x0503 0x0401 0x0402 0x0403 0x0301 0x0302 0x0303 0x0201 0x0202 0x0203 ", "ec_point_fmt": "0x00 0x01 0x02"}
 {"id": 0, "desc": "Tripit Android App", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x001A", "ciphersuite": "0xC02B 0xC02F 0x009E 0xC00A 0xC009 0xC013 0xC014 0x0033 0x0039 0x009C 0x002F 0x0035 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x0017 0x0023 0x000D 0x0010 0x000B 0x000A ", "e_curves": "0x0017 0x0018 0x0019 ", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203 ", "ec_point_fmt": "0x00"}
+{"id": 0, "desc": "Aviator Updates", "record_tls_version": "0x0301", "tls_version": "0x0301", "ciphersuite_length": "0x0028", "ciphersuite": "0x00FF 0xC024 0xC023 0xC00A 0xC009 0xC008 0xC028 0xC027 0xC014 0xC013 0xC012 0x003D 0x003C 0x0035 0x002F 0x000A 0xC007 0xC011 0x0005 0x0004", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x000A 0x000B 0x3374 0x0010 0x0005 0x0012 ", "e_curves": "0x0017 0x0018 0x0019 ", "sig_alg": "", "ec_point_fmt": "0x00"}
+{"id": 0, "desc": "iTunes/iBooks #1", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x0020", "ciphersuite": "0xC02B 0xC02F 0x009E 0xCC14 0xCC13 0xC00A 0xC014 0x0039 0xC009 0xC013 0x0033 0x009C 0x0035 0x002F 0x000A 0xC028", "compression_length": "1",  "compression": "0x00", "extensions": "0xFF01 0x0000 0x0017 0x0023 0x000D 0x0005 0x3374 0x0012 0x0010 0x7550 0x000B 0x000A ", "e_curves": "0x0017 0x0018 ", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203 ", "ec_point_fmt": "0x00"}
+{"id": 0, "desc": "iTunes/iBooks #2", "record_tls_version": "0x0301", "tls_version": "0x0302", "ciphersuite_length": "0x0014", "ciphersuite": "0xC00A 0xC014 0x0039 0xC009 0xC013 0x0033 0x0035 0x002F 0x000A 0x5600", "compression_length": "1",  "compression": "0x00", "extensions": "0xFF01 0x0000 0x0017 0x0023 0x0005 0x3374 0x0012 0x0010 0x7550 0x000B 0x000A ", "e_curves": "0x0017 0x0018 ", "sig_alg": "", "ec_point_fmt": "0x00"}