Hide and Seek on Github

INCOMPLETE, PCAP and SSL-keys not there. Only the screencast... (Need to inspect PCAP more, maybe anonymize more/remove some packets, before I upload it...)

Just, first, quickly what happened. You don't need to view it all! View it from 0:10:20, then 0:10:50, and lastly from 0:13:35 (these are all in H:MM:SS) and in places you can go faster or skip where I type in the forms for a few dozen seconds or longer.

I might give links that play exactly the few dozen seconds altogether that matter here. (After more network analysis, which is... slow work here.)

---

By uncenz:

dump_180809_1931_gdO.pcap

---

And for what happened, I first suspected this mess must have been Javascript-induced, see
Building Pale Moon on Devuan fails 2
but I'm not sure anymore after my initial quick analysis of the PCAP... Maybe it's the websockets...

WARNING: Familiarity with and use of some Unix-like OS such as GNU/Linux or BSD, (or being able to use Cygwin on Windows but I haven't tested that yet) is required to be able to follow.

Most of the original files of this section are produced with my (primitive) set of scripts:

uncenz.

Notice there are different scripts there, some I use for minimal anonymization of the dumps (dump_perl_repl.sh). Ah, and another could be useful for downloading, instead of of click-downloading each file in a list (dump_dLo.sh). If not downloading uncenz, you can get it directly: https://raw.githubusercontent.com/miroR/uncenz/master/dump_dLo.sh or later version if that looks too old.

For analysis/stream extraction I often use my modest and lacking in good programming practices, but doing what I created them for, scripts:

tshark-hosts-conv

and:

tshark-streams.

as well as:

workPCAPs which can run tshark-streams and tshark-hosts-conv
( and from May 2018 also stream-cont.pl from program

stream-cont )

on (a lot) of PCAP(s) (usually) non-interactively.

Readers are advised to try and analyze the traffic dumps for themselves, with the above programs (I also try to offer some educational usefulness to them). There would anyway be too little point posting all the streams and the listings that those would produce. I usually post just the ones among that produce which are crucial for the discussion in question.

And just another one thing: I post lots of command lines and snippets of scripts. Be aware that some of those are in HTML, so before using them, check that they correspond to what the page shows, and of course, report (find miro.rovis or such at the front page of www.croatiafidelie.hr) back to me the typoes and errors if you find any.

The files necessary for this study are listed in:

ls-1

dump_180809_1931_gdO.pcap
Screen_180809_1931_gdO.webm
dump_180809_1931_gdO_SSLKEYLOGFILE.txt

and verify to: ls-1.sum signed by: ls-1.sum.asc