This is our old Q&A Site. Please post any new questions and answers at

Is there any way we can filter only SSLv3.0 traffic from a capture?

asked 20 Mar '17, 14:46

WireSharrkUser's gravatar image

accept rate: 0%

It's a bit more complicated than usual to do this, because you need to do it in two steps. First, you need to find all conversations that use SSLv3, gathering their tcp stream indexes. In a second run, filter those away (or everything else, depending on what you mean by "filter only SSLv3").

Example, filtering on Handshakes (content_type 22) from the server (handshake type 2) and SSL version 3 (version 0x0300:

tshark -r demo.pcapng -Y "ssl and ssl.record.content_type == 22 and ssl.handshake.type == 2 and ssl.record.version == 0x0300" -Tfields -e

Second, run tshark again (or use Wireshark to load your pcap), and filter on the stream indexes: or or or

If you don't want to see the SSLv3 flows, negate the filter:

not ( or or or
permanent link

answered 20 Mar '17, 15:34

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 20 Mar '17, 14:46

question was seen: 2,255 times

last updated: 20 Mar '17, 15:34

p​o​w​e​r​e​d by O​S​Q​A