Asked By: Anonymous
(tcp[tcp/16*4]=22 and tcp[tcp/16*4+5]=1), where
=22 represents handshake and
=1 represents client hello for both TLS 1.2/1.3 packets.
Since the above filter gives traffic to both TLS 1.2 and 1.3, I am not really finding a way/technique to differentiate TLS 1.3 or TLS 1.2 client hello traffic.
Answered By: Anonymous
TLS 1.3 support is announced in the
supported_versions TLS extension. There is no clear offset for this extension in the ClientHello, i.e. one would need to properly parse the ClientHello structure. This is not doable with pcap filter rules.