Ask Your Question
0

Capture Filter for TLS

asked 2019-08-02 14:44:15 +0000

Burtamus gravatar image

I'm an email admin at my place of employment. I want to see what clients are using TLS to send email to my SMTP server. I want this to run for about a week straight, so I want to only capture the initial handshake and I don't care about decrypting it. I'm really just interested in getting the remote server's name and IP.

Of course, the display filters is a different language than the capture filters so I can't just copy and paste. I have no idea why ;-)

I use tls.record.version == "TLS 1.0" or tls.record.version == "TLS 1.1" or tls.record.version == "TLS 1.2" for my display filter

I am a noob at being a Wireshark noob, so please be gentile. ;-)

thanks in advance.

edit retag flag offensive close merge delete

Comments

You mention "clients using TLS" and "remote server's name and IP". Do you mean external mail servers transmitting external email to your server over SMTP, or internal clients sending mail to your mail server for transmission elsewhere?

The capture filter and display filter syntaxes are different because they do different things. Basically the capture filter allows high speed deterministic checking of each packet without requiring too much dissection to ease capture throughput and display filters allow checking of any field in any packet but require the packet to be dissected at least once, if not twice (to resolve forward references).

grahamb gravatar imagegrahamb ( 2019-08-02 15:00:48 +0000 )edit

This is an open relay within our network and the only ones that can connect to it is internal to our network. We then relay off to our mailboxes in O365. Therefore "remote servers" means servers/workstations that are not the SMTP server within our network. "Clients" would be any application on those remote servers/workstation whether they are Java, PowerShell, Telnet, etc. I hope that helps.

Burtamus gravatar imageBurtamus ( 2019-08-02 16:38:25 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-08-04 10:54:43 +0000

grahamb gravatar image

From your comment it seems that you want to capture the connections from your internal clients to your internal relay server.

I guess the clients will be submitting email via port 587 or the deprecated port 25 and then emitting a STARTTLS command, or connecting to the deprecated implicit TLS port 465. Using these ports you can construct a capture filter for use with dumpcap on the relay server to capture the traffic, say into hourly files (using the -b option) and then post analyze the captures with tshark and a display filter and the -T fields option to output the TLS version numbers along with any other relevant info from the client conversation (e.g. IP).

edit flag offensive delete link more

Comments

Thanks for the reply. It is IIS SMTP, so it is all port 25. Please see the Display Filter in my original post for the results I'm trying to capture up front. "You can construct a capture filter" is exactly what I need help with. Everything I try (having no knowledge of Wireshark) fails.

Burtamus gravatar imageBurtamus ( 2019-08-05 16:52:30 +0000 )edit

Use dumpcap on the SMTP server with a simple capture filter of port 25 to capture all the SMTP traffic and use -b duration:3600 to set up hourly files.

Then post-process those files with tshark to show the TLS version requested by the client with something like:

tshark -r "inputfile" -Y "tls.handshake.type == 1" -T fields -e frame.number -e ip.src -e tls.handshake.version
grahamb gravatar imagegrahamb ( 2019-08-05 17:39:07 +0000 )edit
add a comment
0

answered 2019-08-02 15:01:48 +0000

grahamb gravatar image

Doesn't your email server log info about connections, that would be my first port of call to see what's going on?

edit flag offensive delete link more

Comments

I'm using IIS SMTP. It does log who uses the STARTTLS verb, but it does not show what version of TLS they are using.

Burtamus gravatar imageBurtamus ( 2019-08-02 16:33:33 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-08-02 14:44:15 +0000

Seen: 16,101 times

Last updated: Aug 04 '19

Related questions

Can't capture TLS certificate

Is it possible to test a capture filter with already captured traffic?

How would I map this display filter to a capture filter?

Can I create a capture filter on a pcap file

Resolve frame subtype and export to csv

Error on Mac! Could not create profiles directory? Help!

How to create capture filter based on partial MAC address?

How to go back to start screen?

Capture Filters - What am I doing wrong?

capture filter: access data behind tcp header