Ask Your Question
0

Cannot automate deprecated TLS filter capture

asked 2024-11-06 13:01:25 +0000

updated 2024-11-06 13:15:07 +0000

grahamb gravatar image

Hi,

I'm trying to capture all the deprecated TLS traffic (1.0, 1.1) with Tshark from an script and it didn't work as expected because when it filters the traffic it doesn't filter correctly.

The script is:

@echo off

rem Capture general traffic in a temp file
"path\tshark" -i 1 -w path\capture_traffic_general.pcapng -a duration:432000

rem Filter traffic wirh TLS versoins 0x0300, 0x0301 y 0x0302 and saves it in a new file
"path\tshark" -r path\capture_traffic_general.pcapng -Y "tls.record.version == 0x0300 or tls.record.version == 0x0301 or tls.record.version == 0x0302" -w path\capture_tls_versions.pcapng

rem Elimina el archivo temporal para liberar espacio
del path\capture_traffic_general.pcapng

When I see the final result in the export it only shows TLSv1.2 results.

edit retag flag offensive close merge delete

Comments

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 195
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 191
            Version: TLS 1.2 (0x0303)
Version: TLS 1.0 (0x0301)
tls.record.version

Version: TLS 1.2 (0x0303)
tls.handshake.version

"record" or "handshake version?

Would this be better: tls.handshake.version < 0x0303

Chuckc gravatar imageChuckc ( 2024-11-06 13:45:54 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-11-06 23:10:10 +0000

johnthacker gravatar image

When I see the final result in the export it only shows TLSv1.2 results

Where does it show TLSv1.2, in the Protocol column?

This doesn't mean it's not working; it's unlikely that much modern traffic actually uses TLS 1.0 or TLS 1.1. There are, as @Chuckc shows, it's not unusual for clients to indicate TLS 1.0 at the TLS record layer in their ClientHello (while indicating that they support 1.2 in the handshake itself) for backwards compatibility, but it is extremely unlikely at this point that anything earlier than TLS 1.2 will actually be negotiated.

Your live capture will probably not have anything actually negotiating and using TLS 1.0 or 1.1. That's expected.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-11-06 13:01:25 +0000

Seen: 75 times

Last updated: Nov 06