tests(pcap): fix support for older tshark versions (#4744)

tests/pcap/Cargo.toml

@@ -6,14 +6,14 @@ publish = false
 
 [features]
 default = []
-ja4 = [] # Older versions of tshark do not support JA4
 download = [] # Download additional pcaps from a list of configured urls
 
 [build-dependencies]
 anyhow = "1.0.86"
 bytes = "1.7.1"
 hex = "0.4.3"
 reqwest = { version = "0.12.7", features = ["blocking"] }
+semver = "1.0.23"
 
 [dependencies]
 anyhow = "1.0.86"

tests/pcap/build.rs

@@ -4,10 +4,12 @@
 use anyhow::*;
 use bytes::Buf;
 use bytes::Bytes;
+use semver::Version;
 use std::collections::HashMap;
 use std::fs::File;
 use std::io::copy;
 use std::path::Path;
+use std::process::Command;
 use std::thread;
 use std::time::Duration;
 
@@ -101,7 +103,40 @@ fn download(url: &str) -> Result<Bytes> {
     bail!("Unable to download: {}", url);
 }
 
+fn assert_tshark_version() -> Result<()> {
+    let output = Command::new("tshark").args(["--version"]).output();
+    let version = output.ok().and_then(|output| {
+        let message = std::str::from_utf8(&output.stdout).ok();
+        message.and_then(|msg| msg.split_whitespace().find_map(|s| Version::parse(s).ok()))
+    });
+
+    // Version requirements:
+    // 1. tshark >= 3.7.0 is required for JA3 support
+    //    JA3 support was added to earlier versions, but did not correctly ignore grease values.
+    //    See https://gitlab.com/wireshark/wireshark/-/commit/03afef0a566ed649ead587fb4c02fc2d8539f3b7
+    // 2. tshark >= 4.1.0 is required for consistent handling of sslv2.
+    //    Otherwise, we have to branch on sslv2 message filters.
+    //    See https://gitlab.com/wireshark/wireshark/-/commit/aee0278e086469a4b5b3185947a95556fd3ae708
+    // 3. tshark >= 4.2.0 is required for JA4 support.
+    //    See https://gitlab.com/wireshark/wireshark/-/commit/fd19f0d06f96b9934e3cd5b9889b2f83d3567fce
+    let min_version = Version::new(4, 2, 0);
+    if let Some(version) = version {
+        assert!(
+            version >= min_version,
+            "tshark {} required. tshark {} found",
+            min_version,
+            version
+        );
+        println!("tshark version: {}", version);
+    } else {
+        println!("cargo:warning=Unable to determine tshark version");
+    }
+    Ok(())
+}
+
 fn main() -> Result<()> {
+    assert_tshark_version()?;
+
     let out_dir = std::env::var("OUT_DIR")?;
     let download_path = Path::new(&out_dir).join("downloaded_pcaps");
 

tests/pcap/src/handshake_message.rs

@@ -138,6 +138,8 @@ impl Builder {
     const TCP_PAYLOAD: &'static str = "tcp.payload";
     const TCP_REASSEMBLED: &'static str = "tcp.reassembled.data";
 
+    // Note: sslv2 uses "tls.ssl2.handshake.type" instead. If we want to support
+    // sslv2 ClientHellos, we will need to search for both variants.
     const MESSAGE_TYPE: &'static str = "tls.handshake.type";
 
     pub(crate) fn set_type(&mut self, message_type: u8) -> &mut Self {

tests/pcap/tests/s2n_client_hellos.rs

@@ -6,6 +6,7 @@ use pcap::all_pcaps;
 use pcap::client_hello::ClientHello as PcapHello;
 use pcap::handshake_message::Builder;
 use s2n_tls::client_hello::{ClientHello as S2NHello, FingerprintType};
+use s2n_tls::fingerprint;
 
 fn get_s2n_hello(pcap_hello: &PcapHello) -> Result<Box<S2NHello>> {
     let bytes = pcap_hello.message().bytes();
@@ -63,11 +64,8 @@ fn ja3_fingerprints() -> Result<()> {
     })
 }
 
-#[cfg(feature = "ja4")]
 #[test]
 fn ja4_fingerprints() -> Result<()> {
-    use s2n_tls::fingerprint;
-
     let mut builder = fingerprint::Builder::new(FingerprintType::JA4)?;
 
     test_all_client_hellos(|pcap_hello, s2n_hello| {