Useful Wireshark filter for analysis of SSL Traffic.
ssl.handshake.version==0x0300 or ssl.handshake.version==0x0301 or ssl.handshake.version==0x0302
ssl.record.version == 0x0300 or ssl.record.version == 0x0301 or ssl.record.version == 0x0302
Versions:
0x0300 SSL 3.0
0x0301 TLS 1.0
0x0302 TLS 1.1
0x0303 TLS 1.2
Show only <TLS1.2
(ssl.record.version == 0x0300 or ssl.record.version == 0x0301 or ssl.record.version == 0x0302)
Client Hello:
ssl.handshake.type == 1
Server Hello:
ssl.handshake.type == 2
NewSessionTicket:
ssl.handshake.type == 4
Certificate:
ssl.handshake.type == 11
CertificateRequest
ssl.handshake.type == 13
ServerHelloDone:
ssl.handshake.type == 14
Note: “ServerHellpDone” means full-handshake TLS session.
Cipher Suites:
ssl.handshake.ciphersuite
I found the below from Wiki. All these SSL handshake message types ( I had included some of them in the above) can be used as wireshark filter as well.
Message types | |
---|---|
Code | Description |
0 | HelloRequest |
1 | ClientHello |
2 | ServerHello |
4 | NewSessionTicket |
8 | EncryptedExtensions (TLS 1.3 only) |
11 | Certificate |
12 | ServerKeyExchange |
13 | CertificateRequest |
14 | ServerHelloDone |
15 | CertificateVerify |
16 | ClientKeyExchange |
20 | Finished |
Please note:
More and more deployment require more secure mechnism e.g.Perfect Forward Secrecy. To provide PFS, cipher suite need to leverage Elliptic-curve Diffie–Hellman (ECDH) or Ephemeral Diffie-Hellman during the key exchange. In those cases, we can’t use private key to de-encrypt the traffic.