loadlayer('tls') packets sniff(prnlambda x:x.summary(), lfilterlambda x: TLS in x) And if youre using Scapy 2.4. Scapy will then correctly dissect TLS handshake/key. I'm willing to use scapy-ssl_tls if that would make life easier. That enables the TLS module, which supports handshake (requires scapy > 2.4.0). I expected to see a TLSCertificate object, yet such object is never seen. Anyways, I printed the type of every such message like so: def handle_tls_packet(pkt): Print("v = ", version, " len = ", message_len, " htype =", handshake_typeĬerts_len = int.from_bytes(b, 'big')Īs suggested by Cukic0d, I used load_layer("ssl").Īpparently, pkt.msg is a list (to hold multiple TLS messages in one packet?). Handshake_length = int.from_bytes(b, 'big') This is the code: def handle_tls_packet(pkt): I don't want to use scapy-ssl_tls library. So is my assumption that the payload MUST start with 0x16 wrong? WireShark is showing me that \x16\x03\x03 are the bytes at position 0000 (picture is attached), but I guess it is done for convenience. The problem is that this message doesn't pass these conditions.
Next, I'm checking that the first byte is 0x16 and the following two bytes need to be a proper TLS version.
If so, I'm extracting the payload like so: b = bytes(pkt.load). What I'm doing is first checking that the message contains Raw. Specifically, the one with the certificate details (handshake_type = 11).
0 kommentar(er)
