Ask Your Question
0

Filter TLS with no Server Hello

asked 2022-03-31 18:57:23 +0000

king gravatar image

Hello,

I see I can filter "tls.handshake.type == 1" for Client Hello and "tls.handshake.type == 2" for server hello. I have server side capture and I want to filter all the TCP stream which has "Client Hello" but no "Server Hello" response back.

Any filter i can use?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2022-04-01 18:12:33 +0000

SYN-bit gravatar image

As @grahamb mentioned, Wireshark does not have a filter that is session aware for TLS. But luckily Wireshark does have a Lua scripting engine on board. I wrote a Lua script that will work as you described. Use the filter TLSextend.state==1 to see all packets from the TCP streams that contain a ClientHello, but not a ServerHello.

See: https://github.com/syn-bit/TLSextend

edit flag offensive delete link more

Comments

I added a Tap/Gui version (tls_conversations.lua) to the Wiki Contrib page.
It gets loaded as a menu pick: Tools->TLS->Conversations and pops up an output window when run.

Chuckc gravatar imageChuckc ( 2022-04-03 22:42:29 +0000 )edit
0

answered 2022-04-01 08:43:30 +0000

grahamb gravatar image

Display filters only include or exclude a packet on the contents of that packet, they can't reference other packets.

If the dissection process has added synthetic fields such that there are forward\reverse links between packets, then they can be used in filters, e.g. http request\response.

Unfortunately that hasn't been done (yet) for TLS Client\Server Hello messages but you can raise an enhancement request on the Wireshark GitLab issues page.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-03-31 18:57:23 +0000

Seen: 164 times

Last updated: Apr 01