Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Capture Filter for TLS

I'm an email admin at my place of employment. I want to see what clients are using TLS to send email to my SMTP server. I want this to run for about a week straight, so I want to only capture the initial handshake and I don't care about decrypting it. I'm really just interested in getting the remote server's name and IP.

Of course, the display filters is a different language than the capture filters so I can't just copy and paste. I have no idea why ;-)

I use tls.record.version == "TLS 1.0" or tls.record.version == "TLS 1.1" or tls.record.version == "TLS 1.2" for my display filter

I am a noob at being a Wireshark noob, so please be gentile. ;-)

thanks in advance.