I am attempting to implement a Lua Tap plugin to count the number of Change Cipher Spec messages sent by the client in an attempt to detect a certain type of Layer 7 DDoS attack.
The DDoS attack is described here: https://kb.mazebolt.com/knowledgebase/thc-ssl-flood/ (a PCAP file is also accessible on this page).
If I open the PCAP file provided on the above mentioned page and apply the following filter, a total of 252 out of 1323 packets are shown: tls.record.content_type == 20. This appears to be correct.
When I attempt something similar in a Lua Tap plugin, however (see pseudocode below), I get a different result.
packet_change_cipher_spec = 0
f_tls_record_content_type = Field.new("tls.record.content_type")
function tap.packet(pinfo,tvb,tapinfo)
local tls_record_content_type = f_tls_record_content_type()
if tls_record_content_type and tls_record_content_type.value == 20 then
packet_change_cipher_spec = packet_change_cipher_spec + 1
end
end
Only half the packets are counted: 126.
It appears that the packets generally contain multiple TLS messages and tls_record_content_type.value contains the first of these messages, which in half the cases is not 20 but 22 instead.
I could not find a way to access the other TLS messages for a packet, though, it appears that Wireshark is perfectly capable of doing so, since they are all shown and dissected in the GUI.
Do I have to access these values differently or is this not possible with the Lua plugin API?
Any help or feedback is appreciated!