Ask Your Question

Capture Filter for TLS

asked 2019-08-02 14:44:15 +0000

Burtamus gravatar image

I'm an email admin at my place of employment. I want to see what clients are using TLS to send email to my SMTP server. I want this to run for about a week straight, so I want to only capture the initial handshake and I don't care about decrypting it. I'm really just interested in getting the remote server's name and IP.

Of course, the display filters is a different language than the capture filters so I can't just copy and paste. I have no idea why ;-)

I use tls.record.version == "TLS 1.0" or tls.record.version == "TLS 1.1" or tls.record.version == "TLS 1.2" for my display filter

I am a noob at being a Wireshark noob, so please be gentile. ;-)

thanks in advance.

edit retag flag offensive close merge delete


You mention "clients using TLS" and "remote server's name and IP". Do you mean external mail servers transmitting external email to your server over SMTP, or internal clients sending mail to your mail server for transmission elsewhere?

The capture filter and display filter syntaxes are different because they do different things. Basically the capture filter allows high speed deterministic checking of each packet without requiring too much dissection to ease capture throughput and display filters allow checking of any field in any packet but require the packet to be dissected at least once, if not twice (to resolve forward references).

grahamb gravatar imagegrahamb ( 2019-08-02 15:00:48 +0000 )edit

This is an open relay within our network and the only ones that can connect to it is internal to our network. We then relay off to our mailboxes in O365. Therefore "remote servers" means servers/workstations that are not the SMTP server within our network. "Clients" would be any application on those remote servers/workstation whether they are Java, PowerShell, Telnet, etc. I hope that helps.

Burtamus gravatar imageBurtamus ( 2019-08-02 16:38:25 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2019-08-02 15:01:48 +0000

grahamb gravatar image

Doesn't your email server log info about connections, that would be my first port of call to see what's going on?

edit flag offensive delete link more


I'm using IIS SMTP. It does log who uses the STARTTLS verb, but it does not show what version of TLS they are using.

Burtamus gravatar imageBurtamus ( 2019-08-02 16:33:33 +0000 )edit

answered 2019-08-04 10:54:43 +0000

grahamb gravatar image

From your comment it seems that you want to capture the connections from your internal clients to your internal relay server.

I guess the clients will be submitting email via port 587 or the deprecated port 25 and then emitting a STARTTLS command, or connecting to the deprecated implicit TLS port 465. Using these ports you can construct a capture filter for use with dumpcap on the relay server to capture the traffic, say into hourly files (using the -b option) and then post analyze the captures with tshark and a display filter and the -T fields option to output the TLS version numbers along with any other relevant info from the client conversation (e.g. IP).

edit flag offensive delete link more


Thanks for the reply. It is IIS SMTP, so it is all port 25. Please see the Display Filter in my original post for the results I'm trying to capture up front. "You can construct a capture filter" is exactly what I need help with. Everything I try (having no knowledge of Wireshark) fails.

Burtamus gravatar imageBurtamus ( 2019-08-05 16:52:30 +0000 )edit

Use dumpcap on the SMTP server with a simple capture filter of port 25 to capture all the SMTP traffic and use -b duration:3600 to set up hourly files.

Then post-process those files with tshark to show the TLS version requested by the client with something like:

tshark -r "inputfile" -Y "tls.handshake.type == 1" -T fields -e frame.number -e ip.src -e tls.handshake.version
grahamb gravatar imagegrahamb ( 2019-08-05 17:39:07 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-08-02 14:44:15 +0000

Seen: 13,148 times

Last updated: Aug 04 '19