[Zeek] handshake ssl

Rober Fernández roberixion at gmail.com
Thu Jan 17 03:03:16 PST 2019


1. Question
i would like obtain the bytes related with the field certificates, but i
don't see any event to get it.

Attach a wireshark image with the field underlined.

2. Question
There is a way to extract exclusively the payload generate in each packet
of the ssl handshake?
for example

      struct {
          ProtocolVersion client_version;
          Random random;
          SessionID session_id;
          CipherSuite cipher_suites<2..2^16-2>;
          CompressionMethod compression_methods<1..2^8-1>;
          select (extensions_present) {
              case false:
                  struct {};
              case true:
                  Extension extensions<0..2^16-1>;
          };
      } ClientHello;

all bytes of this struct of Client Hello.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/3be58b4b/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: certificate.png
Type: image/png
Size: 29504 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/3be58b4b/attachment-0001.bin 


More information about the Zeek mailing list