Ask Your Question
0

Is this a correct TLS capture filter

asked 2018-10-03 20:39:03 +0000

anon gravatar image

I have made research long time ago to construct a capture filter for TLS packets only. I am not sure if I got it right. I tested it but need an expert to check and confirm to me if possible please:

Does this filter capture TLS (port 443, https) packets?

tcp port 443 and tcp[tcp[12]/16*4]=22

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-10-04 05:34:19 +0000

Jaap gravatar image

What you filter on is the TLS ContentType (of the first record), which according to IANA, is 22 for 'handshake'. The fact that you filter on the port reserved for HTTPS (443) does give you a reasonable expectation of the start of a HTTPS transfer.

edit flag offensive delete link more

Comments

So is it correct?

anon gravatar imageanon ( 2018-10-09 14:06:09 +0000 )edit

It gives you a reasonable expectation of the start of a HTTPS transfer. That's as correct as it will be.

Jaap gravatar imageJaap ( 2018-10-09 17:53:24 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2018-10-03 20:39:03 +0000

Seen: 521 times

Last updated: Oct 04 '18

Related questions

My TLS client initiate an unexpected ClientHello to a domain

How to verify what protocol was used in an encrypted file transfer?

SSL/TLS Handshake Immediately Fails

Can't capture TLS certificate

How can I extract parameters from pcap

[TLS 1.3] I am getting an error while decrypting the SSL Handshake Traffic -

Decrypting Application Data with Private Key File

TCP segment data -- is it under the SSL section?

different TLS handshake versions in the ClientHello from the same client

Where can I find the TLS version that is being sent from the client through the ClientHello to the server? [closed]