First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Filter only TLSv1.2 packets

I want to display only TLSv1.2 client and server hellos messages in my wireshark capture, what is the filter that I can use?

alajeb's avatar
9
alajeb
asked 2020-03-10 13:30:02 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The full TLS handshake: tls.record.content_type == 22

Client Hello:tls.handshake.type == 1

Server Hello: tls.handshake.type == 2

Client or Server Hello: tls.handshake.type == 2 or tls.handshake.type == 1

Chuckc's avatar
3k
Chuckc
answered 2020-03-10 13:40:16 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I want only TLSv1.2 messages

alajeb's avatar alajeb (2020-03-10 13:43:28 +0000) edit
more
  • delete

Only client Hello that match a server responding with TLSv1.2 or all client Hello messages?

Chuckc's avatar Chuckc (2020-03-10 14:11:25 +0000) edit
more
  • delete

Are tshark and grep an option?
https://ask.wireshark.org/question/98...

There is a discussion in this bug about support for filtering on the Protocol column:
https://bugs.wireshark.org/bugzilla/s...

https://code.wireshark.org/review/git...
The dissector keeps track of the session version but I don't see where it's exposed to filter on.

ssl_session->session.version == TLSV1DOT2_VERSION
Chuckc's avatar Chuckc (2020-03-10 14:16:36 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer