[PLUG] tcpdump whiz?
Michael Rasmussen
michael at jamhome.us
Fri Feb 26 03:37:00 UTC 2016
On Thu, Feb 25, 2016 at 07:15:50PM -0600, Louis Kowolowski wrote:
> From the link you posted:
>
> tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)
>
> This captures the SSL handshake (0x16), and the hello (0x01). Seems reasonable that you could delete the expression for hello and end up with:
>
> tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)
>
> Does this not work?
No, it's too promiscuous.
--
Michael Rasmussen, Portland Oregon
Be Appropriate && Follow Your Curiosity
When man invented the bicycle he reached the peak of his attainments. Here
was a machine of precision and balance for the convenience of man. And
(unlike subsequent inventions for man's convenience) the more he used
it, the fitter his body became. Here, for once, was a product of man's
brain that was entirely beneficial to those who used it, and of no harm
or irritation to others. Progress should have stopped when man invented
the bicycle.
~ Elizabeth West, Hovel
More information about the PLUG
mailing list