This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

sslv3 capture filter

0

What is a capture filter to capture SSLV3 traffic only? I know the display filter is ssl.record.version==0x0300.

asked 16 Nov '15, 08:26

patrickwill's gravatar image

patrickwill
0445
accept rate: 0%


One Answer:

0

Can you please try this:

tcp[((tcp[12]>>4)*4)+9:2]=0x0300

HINT: As capture filters work in a frame level, this capture filter will only capture the frame with the SSLv3 handshake. No more, no less. If you want to capture the whole SSLv3 session, there is no simple capture filter for that. The only option would be to capture everything on port 443 and later filter for connections with SSLv3 handshake in tshark to get the TCP stream number and then you can filter for that TCP stream number in a second step (with scripting).

Regards
Kurt

answered 16 Nov '15, 12:24

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt it worked perfect.

(17 Nov '15, 05:15) patrickwill

good!

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(17 Nov '15, 05:25) Kurt Knochner ♦