filter sintax:
dns contains "word" - AND keyword
dns and tcp.port == 443 - AND (both must be true)
dns or arp - OR (either can be true)
!dns - NOT (exclude DNS)
dns and !mdns - DNS but not multicast DNS
Frame (Layer 1 physical, raw bits)
Ethernet II (Layer 2 MAC addresses)
Internet Protocol (Layer 3 IP addresses)
Transmission Control Protocol (Layer 4 ports, flags)
TLS/Application (Layer 7 actual data)
headers:
GET /SSL.com-TLS-T-ECC-R2.cer HTTP/1.1 - method + path + version
Host: cert.ssl.com - which server (multiple sites, one IP)
Connection: keep-alive - don't close TCP after this request
User-Agent: Mozilla/5.0 ... Chrome/146 - browser identifying itself
Accept-Encoding: gzip, deflate - "I can handle compressed responses"
Accept-Language: en - preferred language
HTTP/1.1 200 OK - status code
Server: AmazonS3 - this cert file is hosted on AWS S3
Content-Type: application/pkix-cert - file type (a certificate)
Content-Length: 824 - exactly 824 bytes coming
Cache-Control: max-age=31556952 - cache this for ~1 year (it's a static cert)
Last-Modified: Thu, 27 Oct 2022 - file hasn't changed since 2022
ETag: "2ef59e..." - unique identifier for this version of the file
Browser wants to connect to some HTTPS site
Browser checks: is this site's certificate still valid?
Browser fetches cert.ssl.com/SSL.com-TLS-T-ECC-R2.cer over plain HTTP
cert.ssl.com replies with the certificate file
Browser verifies, proceeds with HTTPS connection
Intercept this certificate fetch
Serve a fake or revoked certificate
Browser might be tricked into accepting an invalid cert