From e791655089b79909e78b60028f92a76d36c6afa1 Mon Sep 17 00:00:00 2001 From: ImBenji Date: Fri, 29 Aug 2025 00:47:49 +0100 Subject: [PATCH] Enhance handshake analysis with detailed logging and protocol detection improvements --- lib/services/protocol_blocking_service.dart | 57 +++++++++++++++++++-- 1 file changed, 52 insertions(+), 5 deletions(-) diff --git a/lib/services/protocol_blocking_service.dart b/lib/services/protocol_blocking_service.dart index b7b414b..9f9ff2c 100644 --- a/lib/services/protocol_blocking_service.dart +++ b/lib/services/protocol_blocking_service.dart @@ -250,28 +250,75 @@ class ProtocolBlockingService { } static void _analyzeHandshake(String handshakeData, Connection conn) { - // Simple pattern detection for now + print('════════════════ HANDSHAKE SIGNATURE ANALYSIS ════════════════'); + print('📍 Connection: $conn'); + + // Extract raw bytes from tcpdump hex output + final hexBytes = _extractHexBytes(handshakeData); + final asciiData = _extractAsciiFromHex(hexBytes); + + print('📊 Raw Data Length: ${handshakeData.length} chars'); + print('🔢 Hex Bytes (first 64): ${hexBytes.take(64).join(' ')}'); + print('📝 ASCII Representation: ${asciiData.replaceAll('\n', '\\n').replaceAll('\r', '\\r')}'); + print('🔍 First 32 bytes as string: ${String.fromCharCodes(hexBytes.take(32).map((h) => int.tryParse(h, radix: 16) ?? 0).where((b) => b >= 32 && b <= 126))}'); + + // Protocol detection with signature details final data = handshakeData.toLowerCase(); - String? detectedProtocol; + String signature = ''; - if (data.contains('bittorrent protocol') || data.contains('13426974546f7272656e742070726f746f636f6c')) { + if (data.contains('bittorrent protocol') || hexBytes.join('').contains('13426974546f7272656e742070726f746f636f6c')) { detectedProtocol = 'BitTorrent'; + signature = 'BitTorrent handshake signature detected'; } else if (data.contains('ssh-2.0') || data.contains('ssh-1.')) { detectedProtocol = 'SSH'; + signature = 'SSH protocol version string'; } else if (data.contains('get ') || data.contains('post ') || data.contains('http/')) { detectedProtocol = 'HTTP'; + signature = 'HTTP request headers'; } else if (data.contains('220 ') && conn.remotePort == 25) { detectedProtocol = 'SMTP'; + signature = 'SMTP welcome message'; } else if (data.contains('220 ') && conn.remotePort == 21) { detectedProtocol = 'FTP'; + signature = 'FTP welcome message'; + } else if (hexBytes.isNotEmpty && hexBytes.first == '16' && hexBytes.length > 5) { + // TLS detection + detectedProtocol = 'TLS/SSL'; + signature = 'TLS ClientHello/ServerHello (0x16 record type)'; } if (detectedProtocol != null) { - print('🎯 PROTOCOL DETECTED: $detectedProtocol for $conn'); + print('🎯 PROTOCOL IDENTIFIED: $detectedProtocol'); + print('📋 Signature: $signature'); } else { - print('❓ Unknown protocol for $conn'); + print('❓ UNKNOWN PROTOCOL'); + print('💡 Pattern not recognized - logging for analysis'); } + print('══════════════════════════════════════════════════════════════'); + } + + static List _extractHexBytes(String tcpdumpOutput) { + final hexPattern = RegExp(r'0x[0-9a-f]+:\s*([0-9a-f\s]+)', caseSensitive: false); + final matches = hexPattern.allMatches(tcpdumpOutput); + + final hexBytes = []; + for (final match in matches) { + final hexLine = match.group(1)?.replaceAll(' ', '') ?? ''; + for (int i = 0; i < hexLine.length; i += 2) { + if (i + 1 < hexLine.length) { + hexBytes.add(hexLine.substring(i, i + 2)); + } + } + } + return hexBytes; + } + + static String _extractAsciiFromHex(List hexBytes) { + return hexBytes + .map((hex) => int.tryParse(hex, radix: 16) ?? 0) + .map((byte) => (byte >= 32 && byte <= 126) ? String.fromCharCode(byte) : '.') + .join(''); } static void dispose() {