-
Notifications
You must be signed in to change notification settings - Fork 78
Using Mercury
David McGrew edited this page Jul 22, 2020
·
4 revisions
These examples were created with mercury version 2.2.0. They illustrate the different ways that the program can be used, and how to invoke it in those use cases. The ellipsis (...) indicates that the additional output is not shown. The file top-https.pcap used in the examples is in the subdirectory test/data/. Some of the output lines are quite long; these can be viewed in their entirety by scrolling to the right. Some examples use the jq program to pretty-print the JSON output.
Read the PCAP file top-https.pcap and write JSON to standard output. The option -r (or --read) indicates the file to be read.
$ mercury -r top-https.pcap
{"dns":{"base64":"90CBgAABAAEADQANBmdvb2dsZQNjb20AABwAAcAMABwAAQAAAAUAECYH+LBABAgQAAAAAAAAIA7AEwACAAEAAAAFABQBYwxndGxkLXNlcnZlcnMDbmV0AMATAAIAAQAAAAUABAFpwEbAEwACAAEAAAAFAAQBZsBGwBMAAgABAAAABQAEAWHARsATAAIAAQAAAAUABAFswEbAEwACAAEAAAAFAAQBa8BGwBMAAgABAAAABQAEAW3ARsATAAIAAQAAAAUABAFlwEbAEwACAAEAAAAFAAQBYsBGwBMAAgABAAAABQAEAWjARsATAAIAAQAAAAUABAFnwEbAEwACAAEAAAAFAAQBasBGwBMAAgABAAAABQAEAWTARsCEAAEAAQAAAAUABMAFBh7A1AABAAEAAAAFAATAIQ4ewEQAAQABAAAABQAEwBpcHsEUAAEAAQAAAAUABMAfUB7AxAABAAEAAAAFAATADF4ewHQAAQABAAAABQAEwCMzHsD0AAEAAQAAAAUABMAqXR7A5AABAAEAAAAFAATANnAewGQAAQABAAAABQAEwCusHsEEAAEAAQAAAAUABMAwTx7ApAABAAEAAAAFAATANLIewJQAAQABAAAABQAEwCmiHsC0AAEAAQAAAAUABMA3Ux4="},"src_ip":"192.168.113.2","dst_ip":"192.168.113.237","protocol":17,"src_port":53,"dst_port":37225,"event_start":1565200314.223537}
{"dns":{"base64":"2PuBgAABAAEADQAOBmdvb2dsZQNjb20AAAEAAcAMAAEAAQAAAAUABKzZD07AEwACAAEAAAAFABQBaQxndGxkLXNlcnZlcnMDbmV0AMATAAIAAQAAAAUABAFhwDrAEwACAAEAAAAFAAQBbcA6wBMAAgABAAAABQAEAWvAOsATAAIAAQAAAAUABAFqwDrAEwACAAEAAAAFAAQBY8A6wBMAAgABAAAABQAEAWLAOsATAAIAAQAAAAUABAFnwDrAEwACAAEAAAAFAAQBbMA6wBMAAgABAAAABQAEAWXAOsATAAIAAQAAAAUABAFowDrAEwACAAEAAAAFAAQBZMA6wBMAAgABAAAABQAEAWbAOsBYAAEAAQAAAAUABMAFBh7AqAABAAEAAAAFAATAIQ4ewJgAAQABAAAABQAEwBpcHsD4AAEAAQAAAAUABMAfUB7A2AABAAEAAAAFAATADF4ewQgAAQABAAAABQAEwCMzHsC4AAEAAQAAAAUABMAqXR7A6AABAAEAAAAFAATANnAewDgAAQABAAAABQAEwCusHsCIAAEAAQAAAAUABMAwTx7AeAABAAEAAAAFAATANLIewMgAAQABAAAABQAEwCmiHsBoAAEAAQAAAAUABMA3Ux7AWAAcAAEAAAAFABAgAQUDqD4AAAAAAAAAAgAw"},"src_ip":"192.168.113.2","dst_ip":"192.168.113.237","protocol":17,"src_port":53,"dst_port":40385,"event_start":1565200314.223559}
{"fingerprints":{"tcp":"(faf0)(020405b4)(04)(08)(01)(030307)"},"src_ip":"192.168.113.237","dst_ip":"172.217.15.78","protocol":6,"src_port":38790,"dst_port":443,"event_start":1565200314.224204}
{"fingerprints":{"tls":"(0303)(130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff)((0000)(000b000403000102)(000a000c000a001d0017001e00190018)(0023)(0016)(0017)(000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602)(002b0009080304030303020301)(002d00020101)(0033))"},"tls":{"client":{"server_name":"google.com"}},"src_ip":"192.168.113.237","dst_ip":"172.217.15.78","protocol":6,"src_port":38790,"dst_port":443,"event_start":1565200314.266206}
{"fingerprints":{"tls_server":"(0303)(1302)((0033)(002b00020304))"},"src_ip":"172.217.15.78","dst_ip":"192.168.113.237","protocol":6,"src_port":443,"dst_port":38790,"event_start":1565200314.317713}
...As above, but selecting the TLS protocol, so that only data for that protocol is reported. The -s (or --select) option indicates the protocol (or protocols) selected.
$ mercury -r top-https.pcap --select=tls
{"fingerprints":{"tls":"(0303)(130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff)((0000)(000b000403000102)(000a000c000a001d0017001e00190018)(0023)(0016)(0017)(000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602)(002b0009080304030303020301)(002d00020101)(0033))"},"tls":{"client":{"server_name":"google.com"}},"src_ip":"192.168.113.237","dst_ip":"172.217.15.78","protocol":6,"src_port":38790,"dst_port":443,"event_start":1565200314.266206}
{"fingerprints":{"tls_server":"(0303)(1302)((0033)(002b00020304))"},"src_ip":"172.217.15.78","dst_ip":"192.168.113.237","protocol":6,"src_port":443,"dst_port":38790,"event_start":1565200314.317713}
{"fingerprints":{"tls":"(0303)(130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff)((0000)(000b000403000102)(000a000c000a001d0017001e00190018)(0023)(0016)(0017)(000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602)(002b0009080304030303020301)(002d00020101)(0033))"},"tls":{"client":{"server_name":"www.google.com"}},"src_ip":"192.168.113.237","dst_ip":"172.217.7.228","protocol":6,"src_port":55912,"dst_port":443,"event_start":1565200314.496049}
{"fingerprints":{"tls_server":"(0303)(1302)((0033)(002b00020304))"},"src_ip":"172.217.7.228","dst_ip":"192.168.113.237","protocol":6,"src_port":443,"dst_port":55912,"event_start":1565200314.548679}
...As above, but reporting more data about each TLS session. The --metadata option causes more data features to be written into JSON. This example uses jq, just to format the output for clarity's sake.
$ mercury -r top-https.pcap --select=tls --metadata | jq .
{
"fingerprints": {
"tls": "(0303)(130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff)((0000)(000b000403000102)(000a000c000a001d0017001e00190018)(0023)(0016)(0017)(000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602)(002b0009080304030303020301)(002d00020101)(0033))"
},
"tls": {
"client": {
"version": "0303",
"random": "b3afd945f15e47a81a8c87eb4a8f47b04cd087a2e4b67f3bbefae8ab4c472f0c",
"session_id": "e5d2be5888a873a7753789438a91eafe22564432b617a5ebcadc7f026d37238f",
"cipher_suites": "130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff",
"compression_methods": "00",
"server_name": "google.com"
}
},
"src_ip": "192.168.113.237",
"dst_ip": "172.217.15.78",
"protocol": 6,
"src_port": 38790,
"dst_port": 443,
"event_start": 1565200314.266206
}
...To report DNS responses as detailed JSON objects, instead of base64 strings, use the --dns-json option. In this example we also use the --select=dns option to focus the output on that protocol, though that option operates independently of--dns-json. This example uses jq, just to format the output for clarity's sake.
$ mercury -r top-https.pcap --select=dns --dns-json | jq .
{
"dns": {
"response": {
"qname": "google.com",
"opcode": 0,
"rcode": 0,
"flags": 33152,
"answer": [
{
"rrtype": "AAAA",
"rdata": "2607:f8b0:4004:810::200e",
"ttl": 5
}
],
"authority": [
{
"rrtype": "NS",
"rrname": "c.gtld-servers.net",
"ttl": 5
},
{
"rrtype": "NS",
"rrname": "i.gtld-servers.net",
"ttl": 5
},
{
"rrtype": "NS",
"rrname": "f.gtld-servers.net",
"ttl": 5
},
{
"rrtype": "NS",
"rrname": "a.gtld-servers.net",
"ttl": 5
},
{
"rrtype": "NS",
"rrname": "l.gtld-servers.net",
"ttl": 5
},
...To report PKIX certificates as detailed JSON objects, instead of base64 strings, use the --certs-json option. In this example we also use the --select=tls option to focus the output on that protocol, though that option operates independently of --certs-json. The output is filtered through jq to select the tls.server.certs field, which is a JSON array of certificate objects. Certificate objects have a complex structure, with many optional fields, as shown in this example.
$ mercury -r top-https.pcap --select=tls --certs-json | jq .tls.server.certs
[
{
"cert": {
"version": "02",
"serial_number": "07a27140cfd9fc949427514f8555426f",
"signature_identifier": {
"algorithm": "sha256WithRSAEncryption"
},
"issuer": [
{
"country_name": "US"
},
{
"organization_name": "DigiCert Inc"
},
{
"organizational_unit_name": "www.digicert.com"
},
{
"common_name": "DigiCert SHA2 High Assurance Server CA"
}
],
"validity": [
{
"not_before": "2019-03-07 00:00:00Z"
},
{
"not_after": "2020-03-07 12:00:00Z"
}
],
"subject": [
{
"country_name": "US"
},
{
"state_or_province_name": "California"
},
{
"locality_name": "San Francisco"
},
{
"organization_name": "Twitter, Inc."
},
{
"organizational_unit_name": "atla"
},
{
"common_name": "twitter.com"
}
],
"subject_public_key_info": {
"algorithm_identifier": {
"algorithm": "rsaEncryption"
},
"subject_public_key": {
"modulus": "00e657da4725b5fadc3d3c9f00016d200813b9e880a9e53f93a337380aeb39344918bb8b0acbe3ddaf8ed98e1cc41bcfca1b0081b33e9cb957b5fd33887e520e32732ceea654ae93ef5c593a323ccf4d475646f0a8e9c55463c3f365f2817e16d686a33ade1dd70329399a1ce81fcb87ecbb402154bccfb174c0f4f39272ad666f686c37a1042ae036eb0c16a85826d2cdd6dbb91935c6981cb4ddb1779ac5fe7e4c838524181c9347f3447c1f65b958a8f9b6d3a38b4f88a45bc0eda7ce818658c692f13f9412d4e97a5dd85cfa54b0fd9f91c3c5ce986de9e62b3a2eea86d6ae816f297acde3c8f871c69f77b6f347d8eafb49a060e9c33a9848888cdd84cfcb",
"exponent": "010001",
"bits_in_modulus": 2048,
"bits_in_exponent": 17
}
},
"extensions": [
{
"authority_key_identifier": {
"key_identifier": "5168ff90af0207753cccd9656462a212b859723b"
},
"critical": false
},
{
"subject_key_identifier": "84368f7f4b6945e738c1688210ed156c9e910c69",
"critical": false
},
{
"subject_alt_name": [
{
"dns_name": "twitter.com"
},
{
"dns_name": "www.twitter.com"
}
],
"critical": false
},
{
"key_usage": [
"digital_signature",
"key_encipherment"
],
"critical": true
},
{
"ext_key_usage": [
"id-kp-serverAuth",
"id-kp-clientAuth"
],
"critical": false
},
{
"crl_distribution_points": [
{
"crl_distribution_point": [
{
"distribution_point_name": {
"full_name": {
"uri": "http://crl3.digicert.com/sha2-ha-server-g6.crl"
}
}
}
]
},
{
"crl_distribution_point": [
{
"distribution_point_name": {
"full_name": {
"uri": "http://crl4.digicert.com/sha2-ha-server-g6.crl"
}
}
}
]
}
],
"critical": false
},
{
"certificate_policies": [
{
"policy_information": [
{
"policy_identifier": "2.16.840.1.114412.1.1",
"policy_qualifier_info": {
"qualifier_id": "id-qt-cps",
"qualifier": "https://www.digicert.com/CPS"
}
}
]
},
{
"policy_information": [
{
"policy_identifier": "2.23.140.1.2.2"
}
]
}
],
"critical": false
},
{
"authority_info_access": [
{
"access_method": "id-ad-ocsp",
"access_location": {
"uri": "http://ocsp.digicert.com"
}
},
{
"access_method": "id-ad-caIssuers",
"access_location": {
"uri": "http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt"
}
}
],
"critical": false
},
{
"basic_constraints": {
"ca": false,
"path_len_constraint": 0
},
"critical": true
},
{
"signed_certificate_timestamp_list": "00f1007700bbd9dfbc1f8a71b593942397aa927b473857950aab52e81a909664368e1ed18500000169595561be0000040300483046022100993add9d305ff8dfa08415eec10bf7d8ae8cb6e057d690446a1da2f67d23a64a022100a9ab633de84b7d78fb932ddedbe502d299b543000a8348914750f16ceaa62afc0076008775bfe7597cf88c43995fbdf36eff568d475636ff4ab560c1b4eaff5ea0830f000001695955630300000403004730450220106d3044cfaa12a4e729073d499d75b88561911a4576a70b2c33d21390003cd502210093c11fa60bca4f2274bd27b408a0f92b77f483ac211c8a028b12fb0a8ec32382",
"critical": false
}
],
"violations": [
"invalid"
]
}
}
]
...To report detailed metadata for HTTP, use the --metadata option. In this example we also use the --select=http option to focus the output on that protocol, though that option operates independently of --metadata. This example pipes the output through jq, just to format the output for clarity's sake.
$ mercury -r top-https.pcap --select=http --metadata | jq .
{
"fingerprints": {
"http": "(474554)(485454502f312e31)(486f7374)(4163636570743a202a2f2a)(436f6e6e656374696f6e3a20636c6f7365)"
},
"complete": "yes",
"http": {
"request": {
"method": "GET",
"uri": "/",
"protocol": "HTTP/1.1",
"host": "connectivity-check.ubuntu.com"
}
},
"src_ip": "192.168.113.237",
"dst_ip": "35.224.99.156",
"protocol": 6,
"src_port": 53560,
"dst_port": 80,
"event_start": 1565200503.658237
}
{
"fingerprints": {
"http_server": "(485454502f312e31)(323034)(4e6f20436f6e74656e74)(44617465)(5365727665723a204170616368652f322e342e313820285562756e747529)(436f6e6e656374696f6e3a20636c6f7365)"
},
"complete": "yes",
"src_ip": "35.224.99.156",
"dst_ip": "192.168.113.237",
"protocol": 6,
"src_port": 80,
"dst_port": 53560,
"event_start": 1565200503.759359
}