fix: improve error logging with source/destination details
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Logging improvements:
- Add src_ip, src_port, dst_ip, dst_port to tlsparse error logs
- Add connection details to fingerprint error logs (conn_id, payload_len)
- Include 'unknown' placeholders for packets that fail before parsing
This helps debug issues with truncated ClientHello payloads
and identify problematic connections more easily.
Example log output:
WARN Failed to generate fingerprints
src_ip=192.168.1.10 src_port=54321 dst_ip=10.0.0.1 dst_port=443
conn_id=192.168.1.10:54321->10.0.0.1:443 payload_len=128
error="failed to parse ClientHello: extension data truncated"
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
This commit is contained in:
toto
@ -168,6 +168,10 @@ func main() {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
appLogger.Warn("tlsparse", "Failed to parse TLS ClientHello", map[string]string{
|
appLogger.Warn("tlsparse", "Failed to parse TLS ClientHello", map[string]string{
|
||||||
"error": err.Error(),
|
"error": err.Error(),
|
||||||
|
"src_ip": "unknown",
|
||||||
|
"src_port": "unknown",
|
||||||
|
"dst_ip": "unknown",
|
||||||
|
"dst_port": "unknown",
|
||||||
})
|
})
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -187,6 +191,11 @@ func main() {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
appLogger.Warn("fingerprint", "Failed to generate fingerprints", map[string]string{
|
appLogger.Warn("fingerprint", "Failed to generate fingerprints", map[string]string{
|
||||||
"error": err.Error(),
|
"error": err.Error(),
|
||||||
|
"src_ip": clientHello.SrcIP,
|
||||||
|
"src_port": fmt.Sprintf("%d", clientHello.SrcPort),
|
||||||
|
"dst_ip": clientHello.DstIP,
|
||||||
|
"dst_port": fmt.Sprintf("%d", clientHello.DstPort),
|
||||||
|
"conn_id": clientHello.ConnID,
|
||||||
})
|
})
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|||||||
@ -18,17 +18,19 @@ func NewEngine() *EngineImpl {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// FromClientHello generates JA4 (and optionally JA3) fingerprints from a TLS ClientHello
|
// FromClientHello generates JA4 (and optionally JA3) fingerprints from a TLS ClientHello
|
||||||
// Note: JA4Hash is populated for internal use but should NOT be serialized to LogRecord
|
// Note: JA4 hash portion is extracted for internal use but NOT serialized to LogRecord
|
||||||
// as the JA4 format already includes its own hash portions (per architecture.yml)
|
// as the JA4 format already includes its own hash portions (per architecture.yml)
|
||||||
func (e *EngineImpl) FromClientHello(ch api.TLSClientHello) (*api.Fingerprints, error) {
|
func (e *EngineImpl) FromClientHello(ch api.TLSClientHello) (*api.Fingerprints, error) {
|
||||||
if len(ch.Payload) == 0 {
|
if len(ch.Payload) == 0 {
|
||||||
return nil, fmt.Errorf("empty ClientHello payload")
|
return nil, fmt.Errorf("empty ClientHello payload from %s:%d -> %s:%d",
|
||||||
|
ch.SrcIP, ch.SrcPort, ch.DstIP, ch.DstPort)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parse the ClientHello using tlsfingerprint
|
// Parse the ClientHello using tlsfingerprint
|
||||||
fp, err := tlsfingerprint.ParseClientHello(ch.Payload)
|
fp, err := tlsfingerprint.ParseClientHello(ch.Payload)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to parse ClientHello: %w", err)
|
return nil, fmt.Errorf("failed to parse ClientHello from %s:%d -> %s:%d (conn_id=%s, payload_len=%d): %w",
|
||||||
|
ch.SrcIP, ch.SrcPort, ch.DstIP, ch.DstPort, ch.ConnID, len(ch.Payload), err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate JA4 fingerprint
|
// Generate JA4 fingerprint
|
||||||
|
|||||||
Reference in New Issue
Block a user