I'm trying to write a BPF filter for scapy's sniff() to capture packets that are TLSClientHello packets OR TCP SYN packets. Here's what I have:
sniff(filter="tcp dst port 443 and ((tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) or (tcp[13] & 0x02 = 1))", prn=process_packet, iface=iface, store=False)
The sniff is only picking up on TLSClientHello though. For some reason, SYN packets aren't getting through. What is wrong with the BPF?
The logical and for the filter portion supposed to catch the TCP SYN will return 2, not 1. So this:
(tcp[13] & 0x02 = 1)
Should be:
(tcp[13] & 0x02 = 2)
Or alternatively (at least with tcpdump, I haven't tried with Scapy):
(tcp[tcpflags] & tcp-syn != 0)