THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Capture Filter for TLS

I'm an email admin at my place of employment. I want to see what clients are using TLS to send email to my SMTP server. I want this to run for about a week straight, so I want to only capture the initial handshake and I don't care about decrypting it. I'm really just interested in getting the remote server's name and IP.

Of course, the display filters is a different language than the capture filters so I can't just copy and paste. I have no idea why ;-)

I use tls.record.version == "TLS 1.0" or tls.record.version == "TLS 1.1" or tls.record.version == "TLS 1.2" for my display filter

I am a noob at being a Wireshark noob, so please be gentile. ;-)

thanks in advance.

Burtamus's avatar
1
Burtamus
asked 2019-08-02 14:44:15 +0000
edit flag offensive 0 remove flag close merge delete

Comments

You mention "clients using TLS" and "remote server's name and IP". Do you mean external mail servers transmitting external email to your server over SMTP, or internal clients sending mail to your mail server for transmission elsewhere?

The capture filter and display filter syntaxes are different because they do different things. Basically the capture filter allows high speed deterministic checking of each packet without requiring too much dissection to ease capture throughput and display filters allow checking of any field in any packet but require the packet to be dissected at least once, if not twice (to resolve forward references).

grahamb's avatar grahamb (2019-08-02 15:00:48 +0000) edit
more
  • delete

This is an open relay within our network and the only ones that can connect to it is internal to our network. We then relay off to our mailboxes in O365. Therefore "remote servers" means servers/workstations that are not the SMTP server within our network. "Clients" would be any application on those remote servers/workstation whether they are Java, PowerShell, Telnet, etc. I hope that helps.

Burtamus's avatar Burtamus (2019-08-02 16:38:25 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

Doesn't your email server log info about connections, that would be my first port of call to see what's going on?

grahamb's avatar
23.8k
grahamb
answered 2019-08-02 15:01:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I'm using IIS SMTP. It does log who uses the STARTTLS verb, but it does not show what version of TLS they are using.

Burtamus's avatar Burtamus (2019-08-02 16:33:33 +0000) edit
more
  • delete
add a comment see more comments
0

From your comment it seems that you want to capture the connections from your internal clients to your internal relay server.

I guess the clients will be submitting email via port 587 or the deprecated port 25 and then emitting a STARTTLS command, or connecting to the deprecated implicit TLS port 465. Using these ports you can construct a capture filter for use with dumpcap on the relay server to capture the traffic, say into hourly files (using the -b option) and then post analyze the captures with tshark and a display filter and the -T fields option to output the TLS version numbers along with any other relevant info from the client conversation (e.g. IP).

grahamb's avatar
23.8k
grahamb
answered 2019-08-04 10:54:43 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the reply. It is IIS SMTP, so it is all port 25. Please see the Display Filter in my original post for the results I'm trying to capture up front. "You can construct a capture filter" is exactly what I need help with. Everything I try (having no knowledge of Wireshark) fails.

Burtamus's avatar Burtamus (2019-08-05 16:52:30 +0000) edit
more
  • delete

Use dumpcap on the SMTP server with a simple capture filter of port 25 to capture all the SMTP traffic and use -b duration:3600 to set up hourly files.

Then post-process those files with tshark to show the TLS version requested by the client with something like:

tshark -r "inputfile" -Y "tls.handshake.type == 1" -T fields -e frame.number -e ip.src -e tls.handshake.version
grahamb's avatar grahamb (2019-08-05 17:39:07 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer