Currently using (tcp[tcp[12]/16*4]=22 and tcp[tcp[12]/16*4+5]=1)
, where =22
represents handshake and =1
represents client hello for both TLS 1.2/1.3 packets.
Since the above filter gives traffic to both TLS 1.2 and 1.3, I am not really finding a way/technique to differentiate TLS 1.3 or TLS 1.2 client hello traffic.
TLS 1.3 support is announced in the supported_versions
TLS extension. There is no clear offset for this extension in the ClientHello, i.e. one would need to properly parse the ClientHello structure. This is not doable with pcap filter rules.