gpotter2
commented
5 months ago Please provide a pcap and the code you're using to sniff.
Closed russdm closed 4 days ago
gpotter2
commented
5 months ago Please provide a pcap and the code you're using to sniff.
russdm
commented
5 months ago See the following I've raised the warning for UnknownCipherSuite as an error, and have been logging them in my packet captures. In comparison to the packet captures in Wireshark. Application Data is being read as SSLv2ClientMasterkey. See the zip file containing code I'm using to capture packets with warning raised as error and logged. Tests for unknown cipher suite.zip
russdm
commented
5 months ago Just a note the first two captures in the log file are in the pcap. To save longevity of analysis. Only meant to do two to save having to analyze a bunch of packets.
russdm
commented
5 months ago Information regarding the SSLv2 header if your interested. SSLv2 header.txt
gpotter2
commented
4 days ago Just use
from scapy.sessions import TCPSession
sniff(prn=pktsniff, session=TCPSession)
Brief description
Segmented packets are read in and misinterpreted as SSLv2 handshakes. Packets are often segmented TLS application Data packets when compared to Wireshark.
Scapy version
2.5.0
Python version
3.12.1
Operating system
Windows 11
Additional environment information
Develop a class in the SSLv2 handshake that recognizes and ignores segmented packets.
How to reproduce
sniff TLS packets and segmented TLS packets get misinterpreted as SSLv2_handshakes.
Actual result
No response
Expected result
No response
Related resources
No response