Useful Wireshark filter for analysis of SSL Traffic.
Client Hello:
ssl.handshake.type == 1
Server Hello:
ssl.handshake.type == 2
NewSessionTicket:
ssl.handshake.type == 4
Certificate:
ssl.handshake.type == 11
CertificateRequest
ssl.handshake.type == 13
ServerHelloDone:
ssl.handshake.type == 14
Note: “ServerHellpDone” means full-handshake TLS session.
Cipher Suites:
ssl.handshake.ciphersuite
I found the below from Wiki. All these SSL handshake message types ( I had included some of them in the above) can be used as wireshark filter as well.
| Message types | |
|---|---|
| Code | Description |
| 0 | HelloRequest |
| 1 | ClientHello |
| 2 | ServerHello |
| 4 | NewSessionTicket |
| 8 | EncryptedExtensions (TLS 1.3 only) |
| 11 | Certificate |
| 12 | ServerKeyExchange |
| 13 | CertificateRequest |
| 14 | ServerHelloDone |
| 15 | CertificateVerify |
| 16 | ClientKeyExchange |
| 20 | Finished |
Please note:
More and more deployment require more secure mechnism e.g.Perfect Forward Secrecy. To provide PFS, cipher suite need to leverage Elliptic-curve Diffie–Hellman (ECDH) or Ephemeral Diffie-Hellman during the key exchange. In those cases, we can’t use private key to de-encrypt the traffic.
InsidePacket 
(tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
tcpdump -ni eth0 “tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
tcpdump -ni eth0 “tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
tcpdump -ni eth0 “tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
Now what does it do:
eth0: is my network interface, change it if you need
tcp port 443: I suppose this is the port your server is listening on, change it if you need
tcp[((tcp[12] & 0xf0) >> 2)] = 0x16: a bit more tricky, let’s detail this below
tcp[12] means capturing the 13th byte of the tcp packet, corresponding to first half being the offset, second half being reserved. The offset, once multiplied by 4 gives the byte count of the TCP header, meaning ((tcp[12] & 0xf0) >> 2) provides the size of the TCP header.
The first byte of a TLS packet define the content type. The value 22 (0x16 in hexadecimal) has been defined as being “Handshake” content.
As a consequence, tcp[((tcp[12] & 0xf0) >> 2)] = 0x16 captures every packet having the first byte after the TCP header set to 0x16.
LikeLike
Hi Steven, thank you very much for sharing!
LikeLike
Thanks!
LikeLike
ssl is now depricated, use tls (tls.handshake.type” etc).
LikeLike