Ask Your Question
0

Is this a correct TLS capture filter

asked 2018-10-03 20:39:03 +0000

anon gravatar image

I have made research long time ago to construct a capture filter for TLS packets only. I am not sure if I got it right. I tested it but need an expert to check and confirm to me if possible please:

Does this filter capture TLS (port 443, https) packets?

tcp port 443 and tcp[tcp[12]/16*4]=22

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-10-04 05:34:19 +0000

Jaap gravatar image

What you filter on is the TLS ContentType (of the first record), which according to IANA, is 22 for 'handshake'. The fact that you filter on the port reserved for HTTPS (443) does give you a reasonable expectation of the start of a HTTPS transfer.

edit flag offensive delete link more

Comments

So is it correct?

anon gravatar imageanon ( 2018-10-09 14:06:09 +0000 )edit

It gives you a reasonable expectation of the start of a HTTPS transfer. That's as correct as it will be.

Jaap gravatar imageJaap ( 2018-10-09 17:53:24 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2018-10-03 20:39:03 +0000

Seen: 525 times

Last updated: Oct 04 '18