I am trying to construct a capture filter to capture serverhello messages in TLS handshake. I wrote the following:
tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) and (tcp[((tcp[12] & 0xf0) >> 2)+5] = 0x02)
It capture two types: ServerHello and ServerHello, Change Cipher Spec, Encrypted Handshake Message. Here is a picture attached
Can you explain? is it different server TLS implementation that caused this? or the filter has somethign wrong? I knew that ServerHello code is: 0x02 from this site.
You are seeing TLS session resumption. See figure 2 in section 7.3 of the TLS 1.2 RFC: https://www.rfc-editor.org/rfc/rfc5246#section-7.3. Your client must have connected to that server before and it re-used the TLS session id. In that situation, the server can decide to resume the previous session using the previous security parameters (saves a bit of time/processing).
