I use this filter to capture TLS certificate:
tcp port 443 and tcp[tcp[12]/164]=22 and (tcp[tcp[12]/164+5]=11) but the filter does not capture any thing at all. I tried the same filter with type that has on-digit number (e.g. value 1 for client-hello) and it works. But when I try two-digits, it does not.
According to: http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session , the certificate type has decimal value of 11. For readibility, I prefer to deal with decimal values if possible.
I also do not understand why I have to divide by 16 then multiply by 4. In some references the use >> 2. Can you explain this paer?