Fix missing TLS packets and recognizing TLS encrypted data #4015
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I noticed that scapy seemed to skip packets when parsing tlsv1.2 messages from pcap files. I could not find a relevant issue and investigated it myself. It seems that scapy was returning the last tls message in a sequence when tls was fragmented across tcp packets.
Independently, I noticed that tls messages wireshark calls "Encrypted Handshake Messages" were not recognized by scapy. Since these messages aren't indicated by any outside field, I modified tls records to consider the message content encrypted if a message fails to parse.
I'm opening this PR as a draft since I haven't done testing outside of my use case. I'm not sure what implications outside of tls handshakes these changes have.