Capture Filter for TLS
I'm an email admin at my place of employment. I want to see what clients are using TLS to send email to my SMTP server. I want this to run for about a week straight, so I want to only capture the initial handshake and I don't care about decrypting it. I'm really just interested in getting the remote server's name and IP.
Of course, the display filters is a different language than the capture filters so I can't just copy and paste. I have no idea why ;-)
I use tls.record.version == "TLS 1.0" or tls.record.version == "TLS 1.1" or tls.record.version == "TLS 1.2" for my display filter
I am a noob at being a Wireshark noob, so please be gentile. ;-)
thanks in advance.
You mention "clients using TLS" and "remote server's name and IP". Do you mean external mail servers transmitting external email to your server over SMTP, or internal clients sending mail to your mail server for transmission elsewhere?
The capture filter and display filter syntaxes are different because they do different things. Basically the capture filter allows high speed deterministic checking of each packet without requiring too much dissection to ease capture throughput and display filters allow checking of any field in any packet but require the packet to be dissected at least once, if not twice (to resolve forward references).
This is an open relay within our network and the only ones that can connect to it is internal to our network. We then relay off to our mailboxes in O365. Therefore "remote servers" means servers/workstations that are not the SMTP server within our network. "Clients" would be any application on those remote servers/workstation whether they are Java, PowerShell, Telnet, etc. I hope that helps.