This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter SSLv 3.0 traffic

0

Is there any way we can filter only SSLv3.0 traffic from a capture?

asked 20 Mar '17, 14:46

WireSharrkUser's gravatar image

WireSharrkUser
11226
accept rate: 0%


One Answer:

1

It's a bit more complicated than usual to do this, because you need to do it in two steps. First, you need to find all conversations that use SSLv3, gathering their tcp stream indexes. In a second run, filter those away (or everything else, depending on what you mean by "filter only SSLv3").

Example, filtering on Handshakes (content_type 22) from the server (handshake type 2) and SSL version 3 (version 0x0300:

tshark -r demo.pcapng -Y "ssl and ssl.record.content_type == 22 and ssl.handshake.type == 2 and ssl.record.version == 0x0300" -Tfields -e tcp.stream
7672
10374
10858
11509

Second, run tshark again (or use Wireshark to load your pcap), and filter on the stream indexes:

tcp.stream==7672 or tcp.stream==10374 or tcp.stream==10858 or tcp.stream==11509

If you don't want to see the SSLv3 flows, negate the filter:

not (tcp.stream==7672 or tcp.stream==10374 or tcp.stream==10858 or tcp.stream==11509)

answered 20 Mar '17, 15:34

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%