OSQA is unmaintained. Help us figure out where to go from here.

Is there any way we can filter only SSLv3.0 traffic from a capture?

asked 20 Mar, 14:46

WireSharrkUser's gravatar image

accept rate: 0%

It's a bit more complicated than usual to do this, because you need to do it in two steps. First, you need to find all conversations that use SSLv3, gathering their tcp stream indexes. In a second run, filter those away (or everything else, depending on what you mean by "filter only SSLv3").

Example, filtering on Handshakes (content_type 22) from the server (handshake type 2) and SSL version 3 (version 0x0300:

tshark -r demo.pcapng -Y "ssl and ssl.record.content_type == 22 and ssl.handshake.type == 2 and ssl.record.version == 0x0300" -Tfields -e tcp.stream

Second, run tshark again (or use Wireshark to load your pcap), and filter on the stream indexes:

tcp.stream==7672 or tcp.stream==10374 or tcp.stream==10858 or tcp.stream==11509

If you don't want to see the SSLv3 flows, negate the filter:

not (tcp.stream==7672 or tcp.stream==10374 or tcp.stream==10858 or tcp.stream==11509)
permanent link

answered 20 Mar, 15:34

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 20 Mar, 14:46

question was seen: 405 times

last updated: 20 Mar, 15:34

p​o​w​e​r​e​d by O​S​Q​A