vvv
commented
8 months ago they are seen in the TLS client and server hello packets
@john-althouse Do you have any capture file that would expose this?
Closed john-althouse closed 7 months ago
vvv
commented
8 months ago they are seen in the TLS client and server hello packets
@john-althouse Do you have any capture file that would expose this?
noeltimothy
commented
8 months ago I just saw these unkown values in the "tls-alpn-h2.pcap" Wireshark shows 0xeeee, 0xefef and 0xeded as unknown. Should we consider these Gease values?
john-althouse
commented
8 months ago Those are not in any RFC I can find. Do you know what application it was? I'm curious to see if those fields change from hello to hello or if they're static for that application.
noeltimothy
commented
7 months ago I obtained this pcap from the arkime test pcaps. Don't know how they generated this.
awick
commented
7 months ago I'm pretty sure back in 2020 i just used either curl, chrome or some tool that could do h2 to test while I was implementing support.
Something you might want to do is track where you get your PCAP files from, we currently just track ones that we didn't generate, but maybe we should track all for this reason. :)
Example: https://github.com/arkime/arkime/blob/main/tests/README
john-althouse
commented
7 months ago OK, do not ignore those and just stick to GREASE. Those are most likely programming errors in the application which are the best for fingerprinting.
noeltimothy
commented
7 months ago Yes sounds good. Thank You.
GREASE values should be ignored everywhere they are seen in the TLS client and server hello packets.