Ask Your Question

How does wireshark identify tls1.3?

asked 2021-09-12 09:51:18 +0000

bianmingkai gravatar image

How does wireshark identify tls1.3? I have three questions that I described it in the below screenshot. that would be thankful if someone could help me out if these three questions

image description

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-09-12 12:31:15 +0000

SYN-bit gravatar image

In TLSv1.3, there is a new extension that negotiates the TLS version. It reuses the TLSv1.2 version on the handshake messages for compatilbility (to not break traffic when intermediate devices don't support TLSv1.3). So in the ClientHello message, there is an extension that tells the server that the client supports TLSv1.3. Then wehn the server supports TLSv1.3, it will also use this extension in the ServerHello message to tell the client that it has chosen to use TLSv1.3.

So to answer your questions:

  • A1: Wireshark uses a two-pass process to analyze a capture file, so on the first pass, it sees that TLSv1.3 was chosen and so on the second pass, it can show that TLSv1.3 is being used, even though that only becomes clear later on in the conversation.
  • A2: TLSv1.2 version is chosen for compatilibity
  • A3: The TLS record version indicates the minimum supported version. So in this case, the client tells the server it supports TLS versions 1.0, 1.1, 1.2 and 1.3 (assuming the version extension is present, which I assume it is,, otherwise wireshark would not show this conversation as using TLSv1.3)
edit flag offensive delete link more


Thank you for the swift answer, these answers are really meticulous that I never found them before.but I am still a little bit confused about the A1 . Could you please help to explain A1 in more details? thanks

bianmingkai gravatar imagebianmingkai ( 2021-09-13 01:58:44 +0000 )edit

In your picture in frame 57, it is not yet known by the endpoints which version of TLS will be used, as they are just entering that negotiation. But Wireshark has run through the packtes once before and has seen that in frame 59, the server agrees to use TLSv1.3. That's why wireshark can show TLSv1.3 already in frame 57.

Have a look at the TLS extensions in the ClientHello and the ServerHello to see the actual TLS version negotiation.

SYN-bit gravatar imageSYN-bit ( 2021-09-13 17:00:28 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-09-12 09:51:18 +0000

Seen: 1,011 times

Last updated: Sep 13 '21