0

I need to capture https traffic. In particular the client hello messages. But I need to analyse their content. I learned about wireshark. How can I to extract the data from the packet content? i.e. the client hellp content? The tool displays the packets. If I click on them, I see more information but how to aggregate them. i.e. I need the field length (as shown in the picture) for all client hello messages? Are there any tools to do so? Or can Wireshark do this function?

EDIT: In the picture, this is a client hello message. I need some data like the length. How to extract this and aggregate it for large traffic? Image for illustration

1 Answers1

0

You can do this with wireshark with a filter of "ssl.handshake.type == 1". This will give you all Client Hello packets. From there you can manually inspect the client hello message or you can even make any field in the client hello message a column in Wireshark. To do this, drill-down into one of the packets to the field you want to see. Right-click that field and select "Apply as Column".

If you want to do this programmatically, you could also write a program that uses libpcap to capture packets. This is more work though since you would have to manually dissect the packets yourself.

crchurchey
  • 188
  • 6
  • But the GUI is not suitable for me. I have very large pcpa file. Aren't there any ways to process the pcpa file programmatically to pull the paramters of interest in a file? –  Feb 06 '18 at 08:38
  • What programming language? Python has a bunch of ways to parse packets: https://stackoverflow.com/questions/4948043/pcap-python-library – crchurchey Feb 06 '18 at 12:22
  • Java and python are preferred but any programming is ok as long as it is easy to use and does the purpose. –  Feb 06 '18 at 14:38