Hello,
I see I can filter "tls.handshake.type == 1" for Client Hello and "tls.handshake.type == 2" for server hello. I have server side capture and I want to filter all the TCP stream which has "Client Hello" but no "Server Hello" response back.
Any filter i can use?
As @grahamb mentioned, Wireshark does not have a filter that is session aware for TLS. But luckily Wireshark does have a Lua scripting engine on board. I wrote a Lua script that will work as you described. Use the filter TLSextend.state==1 to see all packets from the TCP streams that contain a ClientHello, but not a ServerHello.
I added a Tap/Gui version (tls_conversations.lua) to the Wiki Contrib page.
It gets loaded as a menu pick: Tools->TLS->Conversations and pops up an output window when run.
Display filters only include or exclude a packet on the contents of that packet, they can't reference other packets.
If the dissection process has added synthetic fields such that there are forward\reverse links between packets, then they can be used in filters, e.g. http request\response.
Unfortunately that hasn't been done (yet) for TLS Client\Server Hello messages but you can raise an enhancement request on the Wireshark GitLab issues page.
Asked: 2022-03-31 18:57:23 +0000
Seen: 4,545 times
Last updated: Apr 01 '22
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
