Wireshark Filter for SSL Traffic

Useful Wireshark filter for analysis of SSL Traffic.

Client Hello:

ssl.handshake.type == 1

Server Hello:

ssl.handshake.type == 2


ssl.handshake.type == 4


ssl.handshake.type == 11


ssl.handshake.type == 13


ssl.handshake.type == 14

Note: “ServerHellpDone” means full-handshake TLS session.

Cipher Suites:


I found the below from Wiki.  All these SSL handshake message types ( I had included some of them in the above) can be used as wireshark filter as well.

Message types
Code Description
0 HelloRequest
1 ClientHello
2 ServerHello
4 NewSessionTicket
8 EncryptedExtensions (TLS 1.3 only)
11 Certificate
12 ServerKeyExchange
13 CertificateRequest
14 ServerHelloDone
15 CertificateVerify
16 ClientKeyExchange
20 Finished

Please note:

More and more deployment require more secure mechnism e.g.Perfect Forward Secrecy. To provide PFS, cipher suite need to leverage  Elliptic-curve Diffie–Hellman (ECDH) or Ephemeral Diffie-Hellman during the key exchange.  In those cases, we can’t use private key to de-encrypt the traffic.

2 thoughts on “Wireshark Filter for SSL Traffic

  1. Steven Monnelly

    (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
    tcpdump -ni eth0 “tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
    tcpdump -ni eth0 “tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”

    tcpdump -ni eth0 “tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
    Now what does it do:

    eth0: is my network interface, change it if you need
    tcp port 443: I suppose this is the port your server is listening on, change it if you need
    tcp[((tcp[12] & 0xf0) >> 2)] = 0x16: a bit more tricky, let’s detail this below
    tcp[12] means capturing the 13th byte of the tcp packet, corresponding to first half being the offset, second half being reserved. The offset, once multiplied by 4 gives the byte count of the TCP header, meaning ((tcp[12] & 0xf0) >> 2) provides the size of the TCP header.

    The first byte of a TLS packet define the content type. The value 22 (0x16 in hexadecimal) has been defined as being “Handshake” content.

    As a consequence, tcp[((tcp[12] & 0xf0) >> 2)] = 0x16 captures every packet having the first byte after the TCP header set to 0x16.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s