[Zeek] Fwd: handshake ssl

Rober Fernández roberixion at gmail.com
Thu Jan 17 03:04:07 PST 2019


---------- Forwarded message ---------
From: Rober Fernández <roberixion at gmail.com>
Date: jue., 17 ene. 2019 a las 12:03
Subject: handshake ssl
To: <zeek at zeek.org>


1. Question
i would like obtain the bytes related with the field certificates, but i
don't see any event to get it.

Attach a wireshark image with the field underlined.

2. Question
There is a way to extract exclusively the payload generate in each packet
of the ssl handshake?
for example

      struct {
          ProtocolVersion client_version;
          Random random;
          SessionID session_id;
          CipherSuite cipher_suites<2..2^16-2>;
          CompressionMethod compression_methods<1..2^8-1>;
          select (extensions_present) {
              case false:
                  struct {};
              case true:
                  Extension extensions<0..2^16-1>;
          };
      } ClientHello;

all bytes of this struct of Client Hello.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/78603956/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: certificate.png
Type: image/png
Size: 29504 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/78603956/attachment-0001.bin 


More information about the Zeek mailing list