Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

capture filter for deprecated SSL/TLS protocols

We're trying to identify applications which are still connecting to our shared SQL servers with deprecated SSL/TLS protocols, so anything older than TLS 1.2. I imagine that's not that uncommon to be curious about, but to my surprise I couldn't find much on how to build a proper capture filter for this.

I know, the display filter for showing SSL 3.0, TLS 1.0 & TLS 1.1 packets is pretty simple: tls.record.version == 0x0300 or tls.record.version == 0x0301 or tls.record.version == 0x0302

But I want to avoid capturing everything, as these are very active servers. So I want to filter out everything we're not interested in, only capturing the deprecated protocols.

I found this page with a quite complex capture filter: (((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03 && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03))) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] = 0x02)) (I'm not going to pretend I understand all of it. There's a breakdown on the page)

But it doesn't seem to give the expected results. There's still TLSv1.2 packets being captured. Anyone who could jump to the rescue?

capture filter for deprecated SSL/TLS protocols

We're trying to identify applications which are still connecting to our shared SQL servers with deprecated SSL/TLS protocols, so anything older than TLS 1.2. I imagine that's not that uncommon to be curious about, but to my surprise I couldn't find much on how to build a proper capture filter for this.

I know, the display filter for showing SSL 3.0, TLS 1.0 & TLS 1.1 packets is pretty simple: simple:

tls.record.version == 0x0300 or tls.record.version == 0x0301 or tls.record.version == 0x0302

0x0302

But I want to avoid capturing everything, as these are very active servers. So I want to filter out everything we're not interested in, only capturing the deprecated protocols.

I found this page with a quite complex capture filter: filter:

(((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03 && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03))) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] = 0x02)) 0x02))

(I'm not going to pretend I understand all of it. There's a breakdown on the page)

But it doesn't seem to give the expected results. There's still TLSv1.2 packets being captured. Anyone who could jump to the rescue?