Ask Your Question
0

Capture Filters - SSL Handshake or HEX

asked 2017-11-29 18:29:21 +0000

genesiusj gravatar image

Hello, I am trying to create a capture filter to capture only packets with SSL.Handshake.type=2, or Server Hello. I tried the tool on this site. link text

Here is the filter it generated.

tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x73736c2e && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x68616e64 && tcp[((tcp[12:1] & 0xf0) >> 2) + 8:4] = 0x7368616b && tcp[((tcp[12:1] & 0xf0) >> 2) + 12:4] = 0x652e7479 && tcp[((tcp[12:1] & 0xf0) >> 2) + 16:4] = 0x7065203d && tcp[((tcp[12:1] & 0xf0) >> 2) + 20:2] = 0x3d20 && tcp[((tcp[12:1] & 0xf0) >> 2) + 22:1] = 0x32

I do not believe the actual string "ssl.handshake.type==2" exists in the packets, which is why this filter fails.

But, using the above as a template, I manually create a capture filter for the 0x02 value. This didn't work either.

tcp[((tcp[12:1] & 0xf0) >> 2) + 59:1] = 0x32

Any ideas where I am missing with this?

Thanks and God bless, Genesius

edit retag flag offensive close merge delete

Comments

Why don't you use the filter 'ssl.handshake.type == 2' ?

omuffat gravatar imageomuffat ( 2017-12-01 14:37:54 +0000 )edit

That would be a display fillter, not a capture filter. However, it would work and is worth trying to see if the data you are looking for is there. If the traffic levels are not too high, it might be acceptable for your operation

masonke gravatar imagemasonke ( 2017-12-07 00:06:02 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-11-21 14:55:07 +0000

updated 2018-11-21 15:00:04 +0000

Try

tcp[(tcp[12]>>4) * 4] = 0x16 and tcp[(tcp[12]>>4) * 4+5] = 0x02

.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-11-29 18:29:21 +0000

Seen: 3,242 times

Last updated: Nov 21 '18