Ask Your Question
0

Filter only TLSv1.2 packets

asked 2020-03-10 13:30:02 +0000

alajeb gravatar image

I want to display only TLSv1.2 client and server hellos messages in my wireshark capture, what is the filter that I can use?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-03-10 13:40:16 +0000

Chuckc gravatar image

The full TLS handshake: tls.record.content_type == 22

Client Hello:tls.handshake.type == 1

Server Hello: tls.handshake.type == 2

Client or Server Hello: tls.handshake.type == 2 or tls.handshake.type == 1

edit flag offensive delete link more

Comments

I want only TLSv1.2 messages

alajeb gravatar imagealajeb ( 2020-03-10 13:43:28 +0000 )edit

Only client Hello that match a server responding with TLSv1.2 or all client Hello messages?

Chuckc gravatar imageChuckc ( 2020-03-10 14:11:25 +0000 )edit

Are tshark and grep an option?
https://ask.wireshark.org/question/98...

There is a discussion in this bug about support for filtering on the Protocol column:
https://bugs.wireshark.org/bugzilla/s...

https://code.wireshark.org/review/git...
The dissector keeps track of the session version but I don't see where it's exposed to filter on.

ssl_session->session.version == TLSV1DOT2_VERSION
Chuckc gravatar imageChuckc ( 2020-03-10 14:16:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-03-10 13:30:02 +0000

Seen: 13,524 times

Last updated: Mar 10 '20