Scapy BPF filter for TLS client hello and TCP SYN

Question

I'm trying to write a BPF filter for scapy's sniff() to capture packets that are TLSClientHello packets OR TCP SYN packets. Here's what I have:

sniff(filter="tcp dst port 443 and ((tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) or (tcp[13] & 0x02 = 1))", prn=process_packet, iface=iface, store=False)

The sniff is only picking up on TLSClientHello though. For some reason, SYN packets aren't getting through. What is wrong with the BPF?

Take a look at here: https://gist.github.com/LeeBrotherston/92cc2637f33468485b8f — , Apr 19 '22 at 11:37

score 1 · Accepted Answer · answered Mar 28 '21 at 14:04

1

The logical and for the filter portion supposed to catch the TCP SYN will return 2, not 1. So this:

(tcp[13] & 0x02 = 1)

Should be:

(tcp[13] & 0x02 = 2)

Or alternatively (at least with tcpdump, I haven't tried with Scapy):

(tcp[tcpflags] & tcp-syn != 0)

answered Mar 28 '21 at 14:04

Qeole

@helloCode0135 Did you test it? It still doesn't show SYN packets for me when combined with the first part of your filter :-/ – pchaigno Mar 29 '21 at 09:10

1 Answers1