This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL and TLS v2 are both supported protocols, but I cannot create a packet colorization rule to highlight either of these. Is there an update to fix this, or is it not possible?

asked 17 Feb '16, 07:58

banjoguru's gravatar image

banjoguru
6112
accept rate: 0%

How are you attempting to add colorization? What version are you using? I just tried adding a coloring rule for "ssl" and it worked just fine.

(19 Feb '16, 06:42) JeffMorriss ♦

If the question is about how to use a coloring rule that indicates whether an SSL Record is SSL3.0 vs. TLS (1.0 1.1 1.2) these filters might do what you're seeking (even if wireshark has not recognized the data as SSL)

They will check whether the first data bytes after the TCP header (and after timestamp options if they exist) are x1403vv x1503vv x1603vv or x1703vv
If vv is 00 then chances are good that this is a SSLv30 record If vv is between 1 and 3 it "might" be a TLS1.0, TLS1.1 or TLS1.2 record

(tcp[12,21]==5003 && tcp[20]>13&&tcp[20]<18&& tcp[22]<1)||((tcp[12,33]==8003 && tcp[32]>13 && tcp[32]<18 && tcp[34]<1))

(tcp[12,21]==5003 && tcp[20]>13&&tcp[20]<18&& tcp[22]<4)||((tcp[12,33]==8003 && tcp[32]>13 && tcp[32]<18 && tcp[34]<4))

alt text

Hope this answers (part of) your question.

Regards Matthias

permanent link

answered 20 Feb '16, 11:51

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×75
×1

question asked: 17 Feb '16, 07:58

question was seen: 1,650 times

last updated: 20 Feb '16, 11:51

p​o​w​e​r​e​d by O​S​Q​A