This is a static archive of our old Q&A Site. Please post any new questions and answers at

SSL Packet Colorization


SSL and TLS v2 are both supported protocols, but I cannot create a packet colorization rule to highlight either of these. Is there an update to fix this, or is it not possible?

asked 17 Feb '16, 07:58

banjoguru's gravatar image

accept rate: 0%

How are you attempting to add colorization? What version are you using? I just tried adding a coloring rule for "ssl" and it worked just fine.

(19 Feb '16, 06:42) JeffMorriss ♦

One Answer:


If the question is about how to use a coloring rule that indicates whether an SSL Record is SSL3.0 vs. TLS (1.0 1.1 1.2) these filters might do what you're seeking (even if wireshark has not recognized the data as SSL)

They will check whether the first data bytes after the TCP header (and after timestamp options if they exist) are x1403vv x1503vv x1603vv or x1703vv
If vv is 00 then chances are good that this is a SSLv30 record If vv is between 1 and 3 it "might" be a TLS1.0, TLS1.1 or TLS1.2 record

(tcp[12,21]==5003 && tcp[20]>13&&tcp[20]<18&& tcp[22]<1)||((tcp[12,33]==8003 && tcp[32]>13 && tcp[32]<18 && tcp[34]<1))

(tcp[12,21]==5003 && tcp[20]>13&&tcp[20]<18&& tcp[22]<4)||((tcp[12,33]==8003 && tcp[32]>13 && tcp[32]<18 && tcp[34]<4))

alt text

Hope this answers (part of) your question.

Regards Matthias

answered 20 Feb '16, 11:51

mrEEde's gravatar image

accept rate: 20%