Revision history [back]

Capture Filters - SSL Handshake or HEX

Hello, I am trying to create a capture filter to capture only packets with SSL.Handshake.type=2, or Server Hello. I tried the tool on this site. link text

Here is the filter it generated.

tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x73736c2e && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x68616e64 && tcp[((tcp[12:1] & 0xf0) >> 2) + 8:4] = 0x7368616b && tcp[((tcp[12:1] & 0xf0) >> 2) + 12:4] = 0x652e7479 && tcp[((tcp[12:1] & 0xf0) >> 2) + 16:4] = 0x7065203d && tcp[((tcp[12:1] & 0xf0) >> 2) + 20:2] = 0x3d20 && tcp[((tcp[12:1] & 0xf0) >> 2) + 22:1] = 0x32


I do not believe the actual string "ssl.handshake.type==2" exists in the packets, which is why this filter fails.

But, using the above as a template, I manually create a capture filter for the 0x02 value. This didn't work either.

tcp[((tcp[12:1] & 0xf0) >> 2) + 59:1] = 0x32


Any ideas where I am missing with this?

Thanks and God bless, Genesius