- Question
i would like obtain the bytes related with the field certificates, but i don’t see any event to get it.
Attach a wireshark image with the field underlined.
- Question
There is a way to extract exclusively the payload generate in each packet of the ssl handshake?
for example
struct {
ProtocolVersion client_version;
Random random;
SessionID session_id;
CipherSuite cipher_suites<2..2^16-2>;
CompressionMethod compression_methods<1..2^8-1>;
select (extensions_present) {
case false:
struct {};
case true:
Extension extensions<0..2^16-1>;
};
} ClientHello;
all bytes of this struct of Client Hello.
- Question
i would like obtain the bytes related with the field certificates, but i don’t see any event to get it.
Attach a wireshark image with the field underlined.
- Question
There is a way to extract exclusively the payload generate in each packet of the ssl handshake?
for example
struct {
ProtocolVersion client_version;
Random random;
SessionID session_id;
CipherSuite cipher_suites<2..2^16-2>;
CompressionMethod compression_methods<1..2^8-1>;
select (extensions_present) {
case false:
struct {};
case true:
Extension extensions<0..2^16-1>;
};
} ClientHello;
all bytes of this struct of Client Hello.
Hi Rober,
1. Question
i would like obtain the bytes related with the field certificates, but i
don't see any event to get it.
Attach a wireshark image with the field underlined.
You cannot get at the data for the field certificated directly; however you can get all of the individual certificates. The easiest way to get to them is through the event x509_certificate - https://www.zeek.org/sphinx/scripts/base/bif/plugins/Bro_X509.events.bif.bro.html#id-x509_certificate. That event gets the parsed out certificate data + an opaque of type x509. You can use the x509_get_certificate_string function to get the ASN.1 representation of the individual certificates out of that,
2. Question
There is a way to extract exclusively the payload generate in each packet
of the ssl handshake?
for example
struct {
ProtocolVersion client_version;
Random random;
SessionID session_id;
CipherSuite cipher_suites<2..2^16-2>;
CompressionMethod compression_methods<1..2^8-1>;
select (extensions_present) {
case false:
struct {};
case true:
Extension extensions<0..2^16-1>;
};
} ClientHello;
all bytes of this struct of Client Hello.
No, there is no way to get the payload for each packet in the handshake. That being said, there is an different event for I think every single event in the handshake that gets the parsed out information; in this case it would be ssl_client_hello and the different extension events.
Is there a reason why you want the raw data and not access to the parsed information?
Johanna