How can I recognize SSL packets when I sniff in scapy?
I know that SSL packets are going through port 443, can I assume that all the TCP packets that go through port 443 are SSL packets?
2 Answers
3
votes
Others have added support for SSL/TLS as a layer to Scapy.
https://github.com/tintinweb/scapy-ssl_tls
Follow the README their to install. Once installed you should be able to use that to detect SSL/TLS content in a packet with the haslayer function.
3
votes
You can neither assume that all traffic using port 443 is SSL and also that SSL can only be found on port 443. To detect SSL traffic you might try to look at the first bytes, i.e. a data stream starting with \x16\x03 followed by [\x00-\x03] might be a ClientHello for SSL 3.0 ... TLS 1.2. But of course it might also be some other protocol which just uses the same initial byte sequence.
