Can't capture TLS certificate
I use this filter to capture TLS certificate:
tcp port 443 and tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=11)
but the filter does not capture anything at all. I tried the same filter with type that has on-digit number (e.g. value 1 for client-hello) and it works. But when I try two-digits, it does not.
According to: http://blog.fourthbit.com/2014/12/23/... , the certificate type has decimal value of 11. For readibility, I prefer to deal with decimal values if possible.
I also do not understand why I have to divide by 16 then multiply by 4. In some references the use >> 2. Can you explain this paer?
Comments