Configure raw packet capture
Before starting, ensure that you've install the necessary prerequisites.
To enable this feature, we will use a CapturedTcpConnectionProvider instead of the default DefaultTcpConnectionProvider used by fluxzy.
This implementation is provided with the package Fluxzy.Core.Pcap and, in addition of having the responsibility to create new remote connection, enables dumping an active TCP connection to a PCAPNG file.
await using var tcpConnectionProvider = await CapturedTcpConnectionProvider.CreateInProcessCapture();
await using var proxy = new Proxy(fluxzyStartupSetting, tcpConnectionProvider: tcpConnectionProvider);
Full example
Here is a full working sample that will capture the raw PCAPNG file of an System.Net.HttpClient making a request to "https://www.example.com".
using System.Net;
using Fluxzy;
using Fluxzy.Core.Pcap;
using Fluxzy.Readers;
namespace TestFluxzyLibrary;
internal class Program
{
private static async Task Main()
{
var tempDirectory = "fluxzy_dump_folder";
var fluxzyStartupSetting = FluxzySetting
.CreateDefault()
.SetOutDirectory(tempDirectory);
await using(var tcpConnectionProvider = await CapturedTcpConnectionProvider.CreateInProcessCapture())
{
await using var proxy = new Proxy(fluxzyStartupSetting, tcpConnectionProvider: tcpConnectionProvider);
var endpoints = proxy.Run();
using var httpClient = new HttpClient(new HttpClientHandler()
{
// We instruct the HttpClient to use the proxy
Proxy = new WebProxy("127.0.0.1", endpoints.First().Port),
UseProxy = true
});
// Make a request to a remote website
using var response = await httpClient.GetAsync("https://www.example.com/");
// Fluxzy is in full streaming mode, this means that the actual body content
// is only captured when the client reads it.
await (await response.Content.ReadAsStreamAsync()).CopyToAsync(Stream.Null);
}
using var archiveReader = new DirectoryArchiveReader(tempDirectory);
// We retrieve back the exchange related to the request to example.com
var requestExchange =
archiveReader.ReadAllExchanges().First(r => r.KnownAuthority == "www.example.com");
using var pcapFileStream = File.Create("example.com.pcapng");
await archiveReader.GetRawCaptureStream(requestExchange!.ConnectionId!)!.CopyToAsync(pcapFileStream);
}
}
Enable NSS Key log collection
SSL can be enabled when using the managed SSL provider Bouncy Castle instead of the OS default.
There are few changes from the previous example to enable NSS key log collection.
First, we need to use the Bouncy Castle SSL provider.
var fluxzyStartupSetting = FluxzySetting
.CreateDefault()
.SetOutDirectory(tempDirectory)
.UseBouncyCastleSslProvider(); // Add this line
At, this point when reading a dump directory the method IArchiveReader.GetRawCaptureKeyStream(connectionId) should returns the NSS key log related to the connectionId.
Fluxzy provides an useful helper, PcapngUtils.CreatePcapngFileWithKeys to combine the raw capture file with the NSS Key log datas.
Let's replace the two last line of the previous sample to make it work.
// create the stream to store the final pcapng file
using var finalPcapStream = File.Create("example.com.deciphered.pcapng");
// retrieve the encrypted raw pcapng file as stream
using var encryptedRawPcapStream = archiveReader.GetRawCaptureStream(requestExchange.ConnectionId)!;
// read the NSS Key log
var nssKeyLog = archiveReader.GetRawCaptureKeyStream(requestExchange.ConnectionId)
!.ReadToEndGreedy(); // This method is reads a stream to end and return the result as string, assuming UTF8.
// The helper that will combine the NSS key log and the encrypting pcapng file to a final pcapng file
await PcapngUtils.CreatePcapngFileWithKeysAsync(nssKeyLog, encryptedRawPcapStream, finalPcapStream);
After running with this changes, you should be able to see deciphered HTTP sessions when opening example.com.deciphered.pcapng file with Wireshark.