Ask Your Question
0

Cannot automate deprecated TLS filter capture

asked 2024-11-06 13:01:25 +0000

DavidWSL gravatar image

updated 2024-11-06 13:15:07 +0000

grahamb gravatar image

Hi,

I'm trying to capture all the deprecated TLS traffic (1.0, 1.1) with Tshark from an script and it didn't work as expected because when it filters the traffic it doesn't filter correctly.

The script is:

@echo off

rem Capture general traffic in a temp file
"path\tshark" -i 1 -w path\capture_traffic_general.pcapng -a duration:432000

rem Filter traffic wirh TLS versoins 0x0300, 0x0301 y 0x0302 and saves it in a new file
"path\tshark" -r path\capture_traffic_general.pcapng -Y "tls.record.version == 0x0300 or tls.record.version == 0x0301 or tls.record.version == 0x0302" -w path\capture_tls_versions.pcapng

rem Elimina el archivo temporal para liberar espacio
del path\capture_traffic_general.pcapng

When I see the final result in the export it only shows TLSv1.2 results.

edit retag flag offensive close merge delete

Comments

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 195
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 191
            Version: TLS 1.2 (0x0303)

Version: TLS 1.0 (0x0301)
tls.record.version

Version: TLS 1.2 (0x0303)
tls.handshake.version

"record" or "handshake version?

Would this be better: tls.handshake.version < 0x0303

Chuckc gravatar imageChuckc ( 2024-11-06 13:45:54 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-11-06 23:10:10 +0000

johnthacker gravatar image

When I see the final result in the export it only shows TLSv1.2 results

Where does it show TLSv1.2, in the Protocol column?

This doesn't mean it's not working; it's unlikely that much modern traffic actually uses TLS 1.0 or TLS 1.1. There are, as @Chuckc shows, it's not unusual for clients to indicate TLS 1.0 at the TLS record layer in their ClientHello (while indicating that they support 1.2 in the handshake itself) for backwards compatibility, but it is extremely unlikely at this point that anything earlier than TLS 1.2 will actually be negotiated.

Your live capture will probably not have anything actually negotiating and using TLS 1.0 or 1.1. That's expected.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-11-06 13:01:25 +0000

Seen: 49 times

Last updated: Nov 06

Related questions

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

follow tcp stream dialogue box

How to tell if TCP segment contains a data in Wireshark?

Help to read this trace

Random Flooding of TCP Retransmissions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?

how to create a graph of the number of active tcp connections over time?

how can I graph mysql response time in wireshark

Is it possible that wireshark doesn't recognize protocol?