Capture Filters - SSL Handshake or HEX

asked 2017-11-29 18:29:21 +0000

Hello, I am trying to create a capture filter to capture only packets with SSL.Handshake.type=2, or Server Hello. I tried the tool on this site. link text

Here is the filter it generated.

tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x73736c2e && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x68616e64 && tcp[((tcp[12:1] & 0xf0) >> 2) + 8:4] = 0x7368616b && tcp[((tcp[12:1] & 0xf0) >> 2) + 12:4] = 0x652e7479 && tcp[((tcp[12:1] & 0xf0) >> 2) + 16:4] = 0x7065203d && tcp[((tcp[12:1] & 0xf0) >> 2) + 20:2] = 0x3d20 && tcp[((tcp[12:1] & 0xf0) >> 2) + 22:1] = 0x32

I do not believe the actual string "ssl.handshake.type==2" exists in the packets, which is why this filter fails.

But, using the above as a template, I manually create a capture filter for the 0x02 value. This didn't work either.

tcp[((tcp[12:1] & 0xf0) >> 2) + 59:1] = 0x32

Any ideas where I am missing with this?

Thanks and God bless, Genesius

edit retag flag offensive close merge delete

Comments

Why don't you use the filter 'ssl.handshake.type == 2' ?

omuffat gravatar imageomuffat ( 2017-12-01 14:37:54 +0000 )edit

That would be a display fillter, not a capture filter. However, it would work and is worth trying to see if the data you are looking for is there. If the traffic levels are not too high, it might be acceptable for your operation

masonke gravatar imagemasonke ( 2017-12-07 00:06:02 +0000 )edit