Revision history [back]
When implementations fail during the TLS handshake, they typically do either:
- Forcefully close the TCP connection. This can be found with the display filter
tcp.flags.reset==1
- Send an unencrypted Alert message. This can be found with the display filter
tls.alert_message.level
Combining the two:
tcp.flags.reset==1 or tls.alert_message.level
Note that normal TLS sessions may also use the TCP RST (reset) flag to tear down a connection to close down a successful session. If you see Application Data packets in the same TCP stream, then this would indicate that.
If you are using Wireshark 2.6 or older, note that the filter is named ssl.alert_message.level
instead.
When implementations fail during the TLS handshake, they typically do either:
- Forcefully
closethe TCP connection. This can be found with the display filtertcp.flags.reset==1
- Send an unencrypted Alert message. This can be found with the display filter
tls.alert_message.level
Combining the two:
tcp.flags.reset==1 or tls.alert_message.level
Note that normal TLS sessions may also use the TCP RST (reset) flag to tear down a connection to close down a successful session. If you see Application Data packets in the same TCP stream, then this would indicate that.
If you are using Wireshark 2.6 or older, note that the filter is named ssl.alert_message.level
instead.
When implementations fail during the TLS handshake, they typically do either:
- Forcefully the TCP connection. This can be found with the display filter
tcp.flags.reset==1
- Send an unencrypted Alert message. This can be found with the display filter
tls.alert_message.level
Combining the two:
tcp.flags.reset==1 or tls.alert_message.level
Note that normal TLS sessions may also use the TCP RST (reset) flag to tear down a connection to close down a successful session. If you see Application Data packets in the same TCP stream, then this would indicate that.
If you are using Wireshark 2.6 or older, note that the filter is named ssl.alert_message.level
instead.