Define SmartTrace to collect only TLS handshake in NetMaster
Article ID: 276856
Updated On:
Products
NetMaster Network Management for TCP/IP
Issue/Introduction
I want to capture TLS handshakes in smart trace but cannot get it to work as desired.
The type of packet I want to capture is the following
1 Byte of the Data area is x16
then the 5 byte is either x01, x02, or x20
So the the packet data section is defined with
Start
Oper Data Format Pos. Length
EQ X16 HEX 1 1
EQ X02 HEX 5 1
EQ X01 HEX 5 1
EQ X20 HEX 5 1
Expression ....+ 1 AND ( 2 OR 3 OR 4 )
however, the trace is capturing every packet .
Environment
Netmaster for TCP/IP 12.2
Cause
Start position is incorrect
Resolution
Create a SmartTrace definition using 'New TCP Trace' - using definition for multiple traces will not work correctly.
Use the following criteria - start position is 6 instead of 5.
Trace Packets with:
TCP Flags .......+
(SYN,ACK,PSH,RST,URG,FIN or an expression e.g. SYN and not ACK)
Packet Direction ........... (In or Out)
+ Packet Data (Following TCP Header) ----------------------------------------+
| Start |
| Oper Data Format Pos. Length |
| 1 EQ 16 HEX 1 1 |
| 2 EQ 01 HEX 6 1 |
| 3 EQ 02 HEX 6 1 |
| 4 EQ 20 HEX 6 1 |
| 5 |
| Expression ....+ 1 AND ( 2 OR 3 OR 4 ) e.g. 1 and (2 or 3) |
+----------------------------------------------------------------------------+
Here are the trace results, only the handshakes are being provided:
Local Host LPort Dir Foreign Host Port +Time Bytes Summary Information
xx.xx.xx.xx 25261 -> xx.xx.xx.xx 47646 <0.001 383 TLS1.2: HSHK( CLIENT_HELLO )
xx.xx.xx.xx 47646 <- xx.xx.xx.xx 25261 <0.001 383 TLS1.2: HSHK( CLIENT_HELLO )
xx.xx.xx.xx 25264 -> xx.xx.xx.xx 47646 <0.001 383 TLS1.2: HSHK( CLIENT_HELLO )
and many more.
Additional Information
Case 33568738
Feedback
Yes
No
Powered by
