[Zeek] Access the encrypted TLS payload

Jay Wren (jawren) jawren at cisco.com
Thu Feb 28 08:15:41 PST 2019


Hello,

Apologies for my ignorant question, my C++ is worse than rusty and I'm completely new to binpac.

I'm trying to access the CiphertextRecord restofdata here:
https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L59  I'm expecting SSLRecord to have the data in the rec vector, based on how SSLRecord is defined. I must be misunderstanding something:
https://github.com/jrwren/zeek/blob/6f7b2973bd23690b6cac65b4d8c0f8fa64e72758/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L61

The RecordText vector is always empty. How can I get at the encrypted data?

Thanks,
--
Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190228/67a4a331/attachment.html 


More information about the Zeek mailing list