This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is a capture filter to capture SSLV3 traffic only? I know the display filter is ssl.record.version==0x0300.

asked 16 Nov '15, 08:26

patrickwill's gravatar image

patrickwill
0445
accept rate: 0%


Can you please try this:

tcp[((tcp[12]>>4)*4)+9:2]=0x0300

HINT: As capture filters work in a frame level, this capture filter will only capture the frame with the SSLv3 handshake. No more, no less. If you want to capture the whole SSLv3 session, there is no simple capture filter for that. The only option would be to capture everything on port 443 and later filter for connections with SSLv3 handshake in tshark to get the TCP stream number and then you can filter for that TCP stream number in a second step (with scripting).

Regards
Kurt

permanent link

answered 16 Nov '15, 12:24

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt it worked perfect.

(17 Nov '15, 05:15) patrickwill

good!

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(17 Nov '15, 05:25) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×6

question asked: 16 Nov '15, 08:26

question was seen: 2,246 times

last updated: 17 Nov '15, 05:25

p​o​w​e​r​e​d by O​S​Q​A