1 | initial version |
The client (in the Client Hello handshake message) sends the cipher suites it's prepared to handle, and the server returns the one it has chosen in its Server Hello response.
See RFC 5846, Sect 7.4.1.3, Server Hello:
cipher_suite
The single cipher suite selected by the server from the list in ClientHello.cipher_suites. For resumed sessions, this field is the value from the state of the session being resumed.
The Wireshark field name is tls.handshake.ciphersuite
, if you add this as a column you will see all the suites offered by the client in the Client Hello and the single suite chosen by the server in the server Hello. Ideally, these fields should have different field names allowing easier extraction.