1 | initial version |
To detect the presence of SSL/TLS Application Data you can use the capture (BPF) filter "tcp[tcp[12]>>2:4]&0xFFFFFCC0=0x17030000" (meaning: TCP data starts with 0x17030[0-3][00-0xBF]). This wil catch SSL 3.0 and TLS 1.0, 1.1, 1.2.
To exclude TLS 1.2 (and 1.3) add: "and tcp[(tcp[12]>>2)+2] < 3"
The resulting pcap file will contain only these packets, thus incomplete TCP streams. So Wireshark will not be able to do proper dissecting. E.g. the display filter "tls" will not work on large TLS record data.