Revision history [back]

I use this filter to capture TLS certificate:

tcp port 443 and tcp[tcp[12]/164]=22 and (tcp[tcp[12]/164+5]=11) but the filter does not capture any thing at all. I tried the same filter with type that has on-digit number (e.g. value 1 for client-hello) and it works. But when I try two-digits, it does not.

According to: http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session , the certificate type has decimal value of 11. For readibility, I prefer to deal with decimal values if possible.

I also do not understand why I have to divide by 16 then multiply by 4. In some references the use >> 2. Can you explain this paer?

I use this filter to capture TLS certificate:

tcp port 443 and tcp[tcp[12]/164]=22 and (tcp[tcp[12]/164+5]=11) 4+5]=11)

but the filter does not capture any thing at all. I tried the same filter with type that has on-digit number (e.g. value 1 for client-hello) and it works. But when I try two-digits, it does not.

According to: http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session , the certificate type has decimal value of 11. For readibility, I prefer to deal with decimal values if possible.

I also do not understand why I have to divide by 16 then multiply by 4. In some references the use >> 2. Can you explain this paer?

I use this filter to capture TLS certificate:

but the filter does not capture any thing anything at all. I tried the same filter with type that has on-digit number (e.g. value 1 for client-hello) and it works. But when I try two-digits, it does not.

According to: http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session , the certificate type has decimal value of 11. For readibility, I prefer to deal with decimal values if possible.

I also do not understand why I have to divide by 16 then multiply by 4. In some references the use >> 2. Can you explain this paer?