Ask Your Question
0

capture filter for deprecated SSL/TLS protocols

asked 2021-06-17 08:19:48 +0000

NicoWeytens gravatar image

updated 2021-06-17 08:27:51 +0000

grahamb gravatar image

We're trying to identify applications which are still connecting to our shared SQL servers with deprecated SSL/TLS protocols, so anything older than TLS 1.2. I imagine that's not that uncommon to be curious about, but to my surprise I couldn't find much on how to build a proper capture filter for this.

I know, the display filter for showing SSL 3.0, TLS 1.0 & TLS 1.1 packets is pretty simple:

tls.record.version == 0x0300 or tls.record.version == 0x0301 or tls.record.version == 0x0302

But I want to avoid capturing everything, as these are very active servers. So I want to filter out everything we're not interested in, only capturing the deprecated protocols.

I found this page with a quite complex capture filter:

(((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03 && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03))) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] = 0x02))

(I'm not going to pretend I understand all of it. There's a breakdown on the page)

But it doesn't seem to give the expected results. There's still TLSv1.2 packets being captured. Anyone who could jump to the rescue?

edit retag flag offensive close merge delete

Comments

"There's still TLSv1.2 packets being captured"

From the linked page:
"I wanted to capture all packets that were of TLS version < 1.2" seems to indicate 1.2 would be allowed to pass.
Has your filter been modified to exclude 1.2?

Chuckc gravatar imageChuckc ( 2021-06-17 14:34:48 +0000 )edit

I'm using the capture filter as described on the webpage. "TLS version < 1.2" means 'less than', so in my book that's SSL 2.0, 3.0, TLS 1.0 and 1.1, leaving out TLS 1.2 & 1.3. Otherwise he'd say <= 1.2.

But like I mentioned, I'm not going to pretend I fully understand the filter. But from these parts I interpret that the protocol should be less than 0x0303 (=TLS1.2): (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03 && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03)(tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03)

NicoWeytens gravatar imageNicoWeytens ( 2021-06-18 09:06:00 +0000 )edit

Ok. I misread the final comments - "But it doesn't seem to give the expected results. There's still TLSv1.2 packets being captured." What passes the filter into your capture that should be dropped?

Chuckc gravatar imageChuckc ( 2021-06-18 11:01:30 +0000 )edit

Embarrassing... It turns out I didn't apply the capture filter properly. The machine we test on has several interfaces, and the filter was applied on the wrong one. So we were still capturing everything. Anyhow, I 'fixed' that and asked our DBA to redo a test on TLS 1.0 and TLS 1.2. I'm still capturing some data (much less obviously), but when I put a display filter on the IP of the machine he was testing from, I get nothing. Nor the TLS 1.0 nor the TLS 1.2 test. When I start over without a capture filter, only with the display filter on the source IP, I do see both TLSv1 and TLSv1.2 being captured. I think we're ready to start the weekend. We'll have another look at this next week with a fresh mind... :-)

NicoWeytens gravatar imageNicoWeytens ( 2021-06-18 12:24:27 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2021-06-28 21:03:38 +0000

André gravatar image

To detect the presence of SSL/TLS Application Data you can use the capture (BPF) filter "tcp[tcp[12]>>2:4]&0xFFFFFCC0=0x17030000" (meaning: TCP data starts with 0x17030[0-3][00-0xBF]). This wil catch SSL 3.0 and TLS 1.0, 1.1, 1.2.

To exclude TLS 1.2 (and 1.3) add: "and tcp[(tcp[12]>>2)+2] < 3"

The resulting pcap file will contain only these packets, thus incomplete TCP streams. So Wireshark will not be able to do proper dissecting. E.g. the display filter "tls" will not work on large TLS record data.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-06-17 08:19:48 +0000

Seen: 11,312 times

Last updated: Jun 28 '21