Capture Filters - SSL Handshake or HEX
Hello, I am trying to create a capture filter to capture only packets with SSL.Handshake.type=2, or Server Hello. I tried the tool on this site. link text
Here is the filter it generated.
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x73736c2e && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x68616e64 && tcp[((tcp[12:1] & 0xf0) >> 2) + 8:4] = 0x7368616b && tcp[((tcp[12:1] & 0xf0) >> 2) + 12:4] = 0x652e7479 && tcp[((tcp[12:1] & 0xf0) >> 2) + 16:4] = 0x7065203d && tcp[((tcp[12:1] & 0xf0) >> 2) + 20:2] = 0x3d20 && tcp[((tcp[12:1] & 0xf0) >> 2) + 22:1] = 0x32
I do not believe the actual string "ssl.handshake.type==2" exists in the packets, which is why this filter fails.
But, using the above as a template, I manually create a capture filter for the 0x02 value. This didn't work either.
tcp[((tcp[12:1] & 0xf0) >> 2) + 59:1] = 0x32
Any ideas where I am missing with this?
Thanks and God bless, Genesius
Why don't you use the filter 'ssl.handshake.type == 2' ?
That would be a display fillter, not a capture filter. However, it would work and is worth trying to see if the data you are looking for is there. If the traffic levels are not too high, it might be acceptable for your operation