Revision history [back]

TLS negotiates the TLS version during the handshake. The client reports its minimum version through the tls.record.version field and the server agrees to it in the Server Hello. If you would like to understand what versions are in use, it suffices to extract TLS Server Hello handshake messages using the filter:

tls.handshake.type==2

Then inspect the Server Hello version field:

tls.handshake.version

or for TLS 1.3:

tls.handshake.extensions.supported_version

For example, to extract both version fields for Server Hello messages, it will show something like 0x00000303 (for TLS 1.2) or 0x00000304 0x00000303 (for TLS 1.3):

tshark -r your.pcapng -T fields -Y tls.handshake.type==2 -e tls.handshake.extensions.supported_version -e tls.handshake.version

Alternatively you can dump the Protocol column like this, it will show something like TLSv1.2 or TLSv1.3:

tshark -r wlan0.pcapng -T fields -Y tls.handshake.type==2 -e _ws.col.Protocol

For more details on the version negotiation, including TLS 1.3 considerations, see this answer.

tls.handshake.type==2

Then inspect the Server Hello version field:

tls.handshake.version

or for TLS 1.3:

tls.handshake.extensions.supported_version

For example, to extract both version fields for Server Hello messages, it will show something like 0x00000303 (for TLS 1.2) or 0x00000304 0x00000303 (for TLS 1.3):

tshark -r your.pcapng -T fields -Y tls.handshake.type==2 -e tls.handshake.extensions.supported_version -e tls.handshake.version

Alternatively you can dump the Protocol column like this, it will show something like TLSv1.2 or TLSv1.3:

tshark -r wlan0.pcapng your.pcapng -T fields -Y tls.handshake.type==2 -e _ws.col.Protocol

For more details on the version negotiation, including TLS 1.3 considerations, see this answer.