Update to add the "-P" flag.

This allows the user to specify a pcap file to which client hello's which do
not match a fingerprint in the database will be stored.  These samples can be
used to verify fingerprints which are generated.  This will also allow me to
being creating a library of samples to use for unit testing later.

fingerprintls/fingerprintls.c

@@ -71,7 +71,7 @@ void print_usage(char *bin_name) {
 	fprintf(stderr, "    -h                This message\n");
 	fprintf(stderr, "    -i <interface>    Sniff packets from specified interface\n");
 	fprintf(stderr, "    -p <pcap file>    Read packets from specified pcap file\n");
-//	fprintf(stderr, "    -P <pcap file>    Save packets to specified pcap file for unknown fingerprints\n");
+	fprintf(stderr, "    -P <pcap file>    Save packets to specified pcap file for unknown fingerprints\n");
 	fprintf(stderr, "    -j <json file>    Output JSON fingerprints\n");
 	fprintf(stderr, "    -l <log file>     Output logfile (JSON format)\n");
 //	fprintf(stderr, "    -s                Output JSON signatures of unknown connections to stdout\n");  // Comment this out as I'm trying to deprecate this
@@ -93,7 +93,7 @@ int main(int argc, char **argv) {
 	char *unpriv_user = NULL;							/* User for dropping privs */
 	char errbuf[PCAP_ERRBUF_SIZE];				/* error buffer */
 	extern pcap_t *handle;								/* packet capture handle */
-//	extern pcap_dumper_t *output_handle;					/* output to pcap handle */
+	extern pcap_dumper_t *output_handle;					/* output to pcap handle */
 
 	char *filter_exp = default_filter;
 	int arg_start = 1, i;
@@ -135,18 +135,14 @@ int main(int argc, char **argv) {
 				printf("Reading from file: %s\n", argv[i]);
 				break;
 			case 'P':
-				/* Open existing file to append */
-//				output_handle = pcap_dump_open_append(argv[++i], errbuf);
-				/* That failed, try creating a new one */
-//				if(output_handle == NULL) {
-//					output_handle = pcap_dump_open(argv[i], errbuf);
-//				}
-//				if(output_handle == NULL) {
-//					printf("Problem writing output pcap: %s\n", errbuf);
-//					exit (-1);
-//				} else {
-//					printf("Writing samples to file: %s\n", argv[i]);
-//				}
+				/* Open the file */
+				output_handle = pcap_dump_open(pcap_open_dead(DLT_EN10MB, 65535), argv[++i]);
+				if (output_handle != NULL) {
+					printf("Writing samples to file: %s\n", argv[i]);
+				} else {
+					printf("Could not save samples: %s\n", errbuf);
+					exit(-1);
+				}
 				break;
 			case 'i':
 				/* Open the interface */

fingerprintls/fingerprintls.h

@@ -222,7 +222,7 @@ char hostname[HOST_NAME_MAX];			/* store the hostname once to save multiple look
 
 /* These were in main, but this let's the signal handler close as needed */
 pcap_t *handle = NULL;						/* packet capture handle */
-//pcap_dumper_t *output_handle = NULL;					/* output to pcap handle */
+pcap_dumper_t *output_handle = NULL;					/* output to pcap handle */
 
 struct bpf_program fp;					/* compiled filter program (expression) */
 /* --------------------------------------------------------------------- */

fingerprintls/packet_processing.c

@@ -881,6 +881,10 @@ void got_packet(u_char *args, const struct pcap_pkthdr *pcap_header, const u_cha
 			/* END OF RECORD - OR SOMETHING */
 			/* **************************** */
 
+			/* Write the sample packet out */
+			if(output_handle != NULL) {
+				pcap_dump((u_char *)output_handle, pcap_header, packet);
+			}
 
 			/*
 				Setup the new fp_packet for the next incoming packet.  Next call to this function will cause a malloc.

fingerprintls/signal.c

@@ -22,8 +22,9 @@ void sig_handler (int signo) {
 	extern FILE *json_fd;
 	extern FILE *fpdb_fd;
 	extern pcap_t *handle;						/* packet capture handle */
+	extern pcap_dumper_t *output_handle;
 	extern struct bpf_program fp;					/* compiled filter program (expression) */
-	
+
 	switch (signo) {
 
 		/* Placeholder, will use this for some debugging */
@@ -51,6 +52,10 @@ void sig_handler (int signo) {
 			// No checking because accoring to the man page, they don't return anything useful o_O
 			pcap_freecode(&fp);
 			pcap_close(handle);
+			if(output_handle != NULL) {
+				pcap_dump_close(output_handle);
+			}
+
 
 			exit(1);
 			break;

fingerprints/fingerprints.json

@@ -256,7 +256,7 @@
 {"id": 0, "desc": "Blackberry", "record_tls_version": "0x0301", "tls_version": "0x0301", "ciphersuite_length": "0x005A", "ciphersuite": "0xC014 0xC00A 0x0039 0x0038 0x0088 0x0087 0xC00F 0xC005 0x0035 0x0084 0xC013 0xC009 0x0033 0x0032 0x009A 0x0099 0x0045 0x0044 0xC00E 0xC004 0x002F 0x0096 0x0041 0xC011 0xC007 0xC00C 0xC002 0x0005 0x0004 0xC012 0xC008 0x0016 0x0013 0xC00D 0xC003 0x000A 0x0015 0x0012 0x0009 0x0014 0x0011 0x0008 0x0006 0x0003 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x000B 0x000A ", "e_curves": "0x000E 0x000D 0x0019 0x000B 0x000C 0x0018 0x0009 0x000A 0x0016 0x0017 0x0008 0x0006 0x0007 0x0014 0x0015 0x0004 0x0005 0x0012 0x0013 0x0001 0x0002 0x0003 0x000F 0x0010 0x0011 ", "sig_alg": "", "ec_point_fmt": "0x00 0x01 0x02"}
 {"id": 0, "desc": "BlackBerry Browser (Tested BB10)", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x006C", "ciphersuite": "0xC02C 0xC030 0xC02B 0xC02F 0xC024 0xC00A 0xC028 0xC014 0xC023 0xC009 0xC027 0xC013 0xC008 0xC012 0x009F 0x00A3 0x009E 0x00A2 0x006B 0x0039 0x006A 0x0038 0x0067 0x0033 0x0040 0x0032 0xC02E 0xC032 0xC02D 0xC031 0xC026 0xC005 0xC02A 0xC00F 0xC025 0xC004 0xC029 0xC00E 0xC003 0xC00D 0x009D 0x009C 0x003D 0x0035 0x003C 0x002F 0xC011 0xC007 0xC00C 0xC002 0x0005 0x0004 0x000A 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x000B 0x000A 0x0023 0x000D 0x0005 0x0015 ", "e_curves": "0x0019 0x0018 0x0009 0x0017 0x0013 0x0001 ", "sig_alg": "0x0601 0x0602 0x0603 0x0501 0x0502 0x0503 0x0401 0x0402 0x0403 0x0301 0x0302 0x0303 0x0201 0x0202 0x0203 ", "ec_point_fmt": "0x00 0x01 0x02"}
 {"id": 0, "desc": "Candy Crush (testing iOS 8.3)", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x0082", "ciphersuite": "0xC030 0xC02C 0xC028 0xC024 0xC014 0xC00A 0x00A3 0x009F 0x006B 0x006A 0x0039 0x0038 0x0088 0x0087 0xC032 0xC02E 0xC02A 0xC026 0xC00F 0xC005 0x009D 0x003D 0x0035 0x0084 0xC02F 0xC02B 0xC027 0xC023 0xC013 0xC009 0x00A2 0x009E 0x0067 0x0040 0x0033 0x0032 0x0045 0x0044 0xC031 0xC02D 0xC029 0xC025 0xC00E 0xC004 0x009C 0x003C 0x002F 0x0041 0xC011 0xC007 0xC00C 0xC002 0x0005 0x0004 0xC012 0xC008 0x0016 0x0013 0xC00D 0xC003 0x000A 0x0015 0x0012 0x0009 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x000B 0x000A 0x000D 0x000F 0x0015 ", "e_curves": "0x000E 0x000D 0x0019 0x000B 0x000C 0x0018 0x0009 0x000A 0x0016 0x0017 0x0008 0x0006 0x0007 0x0014 0x0015 0x0004 0x0005 0x0012 0x0013 0x0001 0x0002 0x0003 0x000F 0x0010 0x0011 ", "sig_alg": "0x0601 0x0602 0x0603 0x0501 0x0502 0x0503 0x0401 0x0402 0x0403 0x0301 0x0302 0x0303 0x0201 0x0202 0x0203 ", "ec_point_fmt": "0x00 0x01 0x02"}
-{"id": 0, "desc": "Tripit Android App", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x001A", "ciphersuite": "0xC02B 0xC02F 0x009E 0xC00A 0xC009 0xC013 0xC014 0x0033 0x0039 0x009C 0x002F 0x0035 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x0017 0x0023 0x000D 0x0010 0x000B 0x000A ", "e_curves": "0x0017 0x0018 0x0019 ", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203 ", "ec_point_fmt": "0x00"}
+{"id": 0, "desc": "Android App", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x001A", "ciphersuite": "0xC02B 0xC02F 0x009E 0xC00A 0xC009 0xC013 0xC014 0x0033 0x0039 0x009C 0x002F 0x0035 0x00FF", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x0017 0x0023 0x000D 0x0010 0x000B 0x000A ", "e_curves": "0x0017 0x0018 0x0019 ", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203 ", "ec_point_fmt": "0x00"}
 {"id": 0, "desc": "Aviator Updates", "record_tls_version": "0x0301", "tls_version": "0x0301", "ciphersuite_length": "0x0028", "ciphersuite": "0x00FF 0xC024 0xC023 0xC00A 0xC009 0xC008 0xC028 0xC027 0xC014 0xC013 0xC012 0x003D 0x003C 0x0035 0x002F 0x000A 0xC007 0xC011 0x0005 0x0004", "compression_length": "1",  "compression": "0x00", "extensions": "0x0000 0x000A 0x000B 0x3374 0x0010 0x0005 0x0012 ", "e_curves": "0x0017 0x0018 0x0019 ", "sig_alg": "", "ec_point_fmt": "0x00"}
 {"id": 0, "desc": "iTunes/iBooks #1", "record_tls_version": "0x0301", "tls_version": "0x0303", "ciphersuite_length": "0x0020", "ciphersuite": "0xC02B 0xC02F 0x009E 0xCC14 0xCC13 0xC00A 0xC014 0x0039 0xC009 0xC013 0x0033 0x009C 0x0035 0x002F 0x000A 0xC028", "compression_length": "1",  "compression": "0x00", "extensions": "0xFF01 0x0000 0x0017 0x0023 0x000D 0x0005 0x3374 0x0012 0x0010 0x7550 0x000B 0x000A ", "e_curves": "0x0017 0x0018 ", "sig_alg": "0x0601 0x0603 0x0501 0x0503 0x0401 0x0403 0x0301 0x0303 0x0201 0x0203 ", "ec_point_fmt": "0x00"}
 {"id": 0, "desc": "iTunes/iBooks #2", "record_tls_version": "0x0301", "tls_version": "0x0302", "ciphersuite_length": "0x0014", "ciphersuite": "0xC00A 0xC014 0x0039 0xC009 0xC013 0x0033 0x0035 0x002F 0x000A 0x5600", "compression_length": "1",  "compression": "0x00", "extensions": "0xFF01 0x0000 0x0017 0x0023 0x0005 0x3374 0x0012 0x0010 0x7550 0x000B 0x000A ", "e_curves": "0x0017 0x0018 ", "sig_alg": "", "ec_point_fmt": "0x00"}