Is there any way we can filter only SSLv3.0 traffic from a capture?
asked 20 Mar, 14:46
It's a bit more complicated than usual to do this, because you need to do it in two steps. First, you need to find all conversations that use SSLv3, gathering their tcp stream indexes. In a second run, filter those away (or everything else, depending on what you mean by "filter only SSLv3").
Example, filtering on Handshakes (content_type 22) from the server (handshake type 2) and SSL version 3 (version 0x0300:
tshark -r demo.pcapng -Y "ssl and ssl.record.content_type == 22 and ssl.handshake.type == 2 and ssl.record.version == 0x0300" -Tfields -e tcp.stream 7672 10374 10858 11509
Second, run tshark again (or use Wireshark to load your pcap), and filter on the stream indexes:
If you don't want to see the SSLv3 flows, negate the filter:
answered 20 Mar, 15:34