Closed john-althouse closed 7 months ago
they are seen in the TLS client and server hello packets
@john-althouse Do you have any capture file that would expose this?
I just saw these unkown values in the "tls-alpn-h2.pcap" Wireshark shows 0xeeee, 0xefef and 0xeded as unknown. Should we consider these Gease values?
Those are not in any RFC I can find. Do you know what application it was? I'm curious to see if those fields change from hello to hello or if they're static for that application.
I obtained this pcap from the arkime test pcaps. Don't know how they generated this.
I'm pretty sure back in 2020 i just used either curl, chrome or some tool that could do h2 to test while I was implementing support.
Something you might want to do is track where you get your PCAP files from, we currently just track ones that we didn't generate, but maybe we should track all for this reason. :)
Example: https://github.com/arkime/arkime/blob/main/tests/README
OK, do not ignore those and just stick to GREASE. Those are most likely programming errors in the application which are the best for fingerprinting.
Yes sounds good. Thank You.
GREASE values should be ignored everywhere they are seen in the TLS client and server hello packets.