Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Display filter for TLS versions in tshark and saving to a new file.

Hello,

I have a long-term capture taken on a server which at the moment is set-up to accept several versions of TLS, 1.1, 1,2 and older ones from outdated clients. The clients are connecting to the server using diferent protocols and ports, 443, 4343, 3389, 22 (HTTPS, RDP, SSH, FTPS mainly) and I try to indentify which versions of TLS are those clients using and which level of encryption.

I have used "ssl.record.version" for each trace on the graphical interface, but as number of traces files increases,(~162 files, ~28 Gb of traces), I would like to use tshark to read the capture files and to be able to display those packets which contain TLS handshake, indepently of the protocol, or port. I think I have done it, using -r and -Y, but it strange to me that when displaying on the screen I see the packet flow and different TLS versions

tshark -r LANInterfaceServer104.pcapng -Y ssl.record.version

8222 ------ TLSv1 571 Client Hello

26953 ------- TLSv1.2 437 Certificate, Server Key Exchange, Server Hello Done

38554 -------- TLSv1.3 1414 Server Hello, Change Cipher Spec

but then saving to a file, I only find one TLS version, not all the packets are saved, and those are not in the new trace file created.

tshark -r LANInterfaceServer104.pcapng -Y ssl.record.version -w TracewithTLS_versions.pcapng

I wonder if this could be just because of the packets beloging to only one handshake are saved, or my filter commands are not properly correct.

and additional question, I have also used TraceWrangler to scan, filter and extract the traces by ports, but I wonder if could be an option to implement a filter to extract any TLS handshake version as well and creating the file.

I see the advantage of having such information in just one file, in order to identify the client IP, and application which have to be "corrected"

Thanks in advanced.

Display filter for TLS versions in tshark and saving to a new file.

Hello,

I have a long-term capture taken on a server which at the moment is set-up to accept several versions of TLS, 1.1, 1,2 and older ones from outdated clients. The clients are connecting to the server using diferent protocols and ports, 443, 4343, 3389, 22 (HTTPS, RDP, SSH, FTPS mainly) and I try to indentify which versions of TLS are those clients using and which level of encryption.

I have used "ssl.record.version" for each trace on the graphical interface, but as number of traces files increases,(~162 files, ~28 Gb of traces), I would like to use tshark to read the capture files and to be able to display those packets which contain TLS handshake, indepently of the protocol, or port. I think I have done it, using -r and -Y, but it it's strange to me that when displaying on the screen I see the packet flow and flows with different TLS versions

tshark -r LANInterfaceServer104.pcapng -Y ssl.record.version

8222 ------ TLSv1 571 Client Hello

26953 ------- TLSv1.2 437 Certificate, Server Key Exchange, Server Hello Done

38554 -------- TLSv1.3 1414 Server Hello, Change Cipher Spec

but then saving to a file, it has something different, I only find one TLS version, not all the packets are saved, and only those are not are in the new trace file created.

tshark -r LANInterfaceServer104.pcapng -Y ssl.record.version -w TracewithTLS_versions.pcapng

I wonder if this could be just because of the packets beloging to only one handshake are saved, or my filter commands are not properly correct.

and additional question, I have also used TraceWrangler to scan, filter and extract the traces by ports, but I wonder if could be an option to implement a filter to extract any TLS handshake version as well and creating the file.

I see the advantage of having such information in just one file, in order to identify the client IP, and application which have to be "corrected"

Thanks in advanced.