First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Display filter for TLS versions in tshark and saving to a new file.

Hello,

I have a long-term capture taken on a server which at the moment is set-up to accept several versions of TLS, 1.1, 1,2 and older ones from outdated clients. The clients are connecting to the server using diferent protocols and ports, 443, 4343, 3389, 22 (HTTPS, RDP, SSH, FTPS mainly) and I try to indentify which versions of TLS are those clients using and which level of encryption.

I have used "ssl.record.version" for each trace on the graphical interface, but as number of traces files increases,(~162 files, ~28 Gb of traces), I would like to use tshark to read the capture files and to be able to display those packets which contain TLS handshake, indepently of the protocol, or port. I think I have done it, using -r and -Y, but it's strange to me that when displaying on the screen I see the packet flows with different TLS versions

tshark -r LANInterfaceServer104.pcapng -Y ssl.record.version

8222 ------ TLSv1 571 Client Hello

26953 ------- TLSv1.2 437 Certificate, Server Key Exchange, Server Hello Done

38554 -------- TLSv1.3 1414 Server Hello, Change Cipher Spec

but then saving to a file, it has something different, I only find one TLS version, not all the packets are saved, and only those are in the new trace file created.

tshark -r LANInterfaceServer104.pcapng -Y ssl.record.version -w TracewithTLS_versions.pcapng

I wonder if this could be just because of the packets beloging to only one handshake are saved, or my filter commands are not properly correct.

and additional question, I have also used TraceWrangler to scan, filter and extract the traces by ports, but I wonder if could be an option to implement a filter to extract any TLS handshake version as well and creating the file.

I see the advantage of having such information in just one file, in order to identify the client IP, and application which have to be "corrected"

Thanks in advanced.

xinxolHH's avatar
13
xinxolHH
asked 2019-06-18 10:04:31 +0000, updated 2019-06-18 11:44:32 +0000
edit flag offensive 0 remove flag close merge delete

Comments

tshark version?

grahamb's avatar grahamb (2019-06-18 10:14:57 +0000) edit
more
  • delete

TShark (Wireshark) 3.0.2 (v3.0.2-0-g621ed351d5c9)

xinxolHH's avatar xinxolHH (2019-06-18 10:16:05 +0000) edit
more
  • delete

Be aware that from Wireshark 3.0 onwards, the SSL dissector has been renamed to TLS, so display filter fields should be prefixed with "tls" rather than "ssl".

grahamb's avatar grahamb (2019-06-18 10:40:56 +0000) edit
more
  • delete

thanks, it is nice to have tls intead of ssl, yes finally, but I think when using tls.record.version I am getting the same outcome. tshark -r LANInterfaceServer104.pcapng -Y tls.record.version -w traceswithTLS.pcapng, is there something strange in my filters, or is this probably a bug.

xinxolHH's avatar xinxolHH (2019-06-18 11:19:22 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

TLS negotiates the TLS version during the handshake. The client reports its minimum version through the tls.record.version field and the server agrees to it in the Server Hello. If you would like to understand what versions are in use, it suffices to extract TLS Server Hello handshake messages using the filter:

tls.handshake.type==2

Then inspect the Server Hello version field:

tls.handshake.version

or for TLS 1.3:

tls.handshake.extensions.supported_version

For example, to extract both version fields for Server Hello messages, it will show something like 0x00000303 (for TLS 1.2) or 0x00000304 0x00000303 (for TLS 1.3):

tshark -r your.pcapng -T fields -Y tls.handshake.type==2 -e tls.handshake.extensions.supported_version -e tls.handshake.version

Alternatively you can dump the Protocol column like this, it will show something like TLSv1.2 or TLSv1.3:

tshark -r your.pcapng -T fields -Y tls.handshake.type==2 -e _ws.col.Protocol

For more details on the version negotiation, including TLS 1.3 considerations, see this answer.

Lekensteyn's avatar
2.3k
Lekensteyn
answered 2019-06-19 00:56:10 +0000, updated 2019-06-19 00:56:23 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks!, this is closer to what I was looking for, I have added the ip.src on the fields so I can get the "dump" with each line with the correspoding ip address on the screen in a text file. I am bit surprise that it is not possible to have a written pcapng file with only those handshake packets. Thanks & Best Regards.

xinxolHH's avatar xinxolHH (2019-06-19 07:02:53 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer