Useful Wireshark filter for analysis of SSL Traffic.
Client Hello:
ssl.handshake.type == 1
Server Hello:
ssl.handshake.type == 2
NewSessionTicket:
ssl.handshake.type == 4
Certificate:
ssl.handshake.type == 11
CertificateRequest
ssl.handshake.type == 13
ServerHelloDone:
ssl.handshake.type == 14
Note: “ServerHellpDone” means full-handshake TLS session.
Cipher Suites:
ssl.handshake.ciphersuite
I found the below from Wiki. All these SSL handshake message types ( I had included some of them in the above) can be used as wireshark filter as well.
| Message types | |
|---|---|
| Code | Description |
| 0 | HelloRequest |
| 1 | ClientHello |
| 2 | ServerHello |
| 4 | NewSessionTicket |
| 8 | EncryptedExtensions (TLS 1.3 only) |
| 11 | Certificate |
| 12 | ServerKeyExchange |
| 13 | CertificateRequest |
| 14 | ServerHelloDone |
| 15 | CertificateVerify |
| 16 | ClientKeyExchange |
| 20 | Finished |
Please note:
More and more deployment require more secure mechnism e.g.Perfect Forward Secrecy. To provide PFS, cipher suite need to leverage Elliptic-curve Diffie–Hellman (ECDH) or Ephemeral Diffie-Hellman during the key exchange. In those cases, we can’t use private key to de-encrypt the traffic.
(tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
tcpdump -ni eth0 “tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
tcpdump -ni eth0 “tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
tcpdump -ni eth0 “tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)”
Now what does it do:
eth0: is my network interface, change it if you need
tcp port 443: I suppose this is the port your server is listening on, change it if you need
tcp[((tcp[12] & 0xf0) >> 2)] = 0x16: a bit more tricky, let’s detail this below
tcp[12] means capturing the 13th byte of the tcp packet, corresponding to first half being the offset, second half being reserved. The offset, once multiplied by 4 gives the byte count of the TCP header, meaning ((tcp[12] & 0xf0) >> 2) provides the size of the TCP header.
The first byte of a TLS packet define the content type. The value 22 (0x16 in hexadecimal) has been defined as being “Handshake” content.
As a consequence, tcp[((tcp[12] & 0xf0) >> 2)] = 0x16 captures every packet having the first byte after the TCP header set to 0x16.
LikeLike
Hi Steven, thank you very much for sharing!
LikeLike