We're trying to identify applications which are still connecting to our shared SQL servers with deprecated SSL/TLS protocols, so anything older than TLS 1.2. I imagine that's not that uncommon to be curious about, but to my surprise I couldn't find much on how to build a proper capture filter for this.
I know, the display filter for showing SSL 3.0, TLS 1.0 & TLS 1.1 packets is pretty simple: tls.record.version == 0x0300 or tls.record.version == 0x0301 or tls.record.version == 0x0302
But I want to avoid capturing everything, as these are very active servers. So I want to filter out everything we're not interested in, only capturing the deprecated protocols.
I found this page with a quite complex capture filter: (((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03 && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03))) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] = 0x02)) (I'm not going to pretend I understand all of it. There's a breakdown on the page)
But it doesn't seem to give the expected results. There's still TLSv1.2 packets being captured. Anyone who could jump to the rescue?