This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TLS and RC4

0

Good afternoon, I need to filter from the capture that I have made only the IPs that use TLS and RC4 as an algorithm. When I want to filter through Cipher Suite it brings me as a result IPs that have many more algorithms and what I need to know is specifically where the connection was established.

Thank you

asked 26 Oct '17, 11:08

lsalazar's gravatar image

lsalazar
6112
accept rate: 0%

One Answer:

0

Others may have something better; you could use the following display filter:

ssl.handshake.version >= 0x301 and ssl contains "rc4"

Value 0x301 and above covers TLS 1.0 - 1.3

answered 26 Oct '17, 12:31

Papa%20Packet's gravatar image

Papa Packet
63
accept rate: 0%

edited 26 Oct '17, 12:33

HI thnks! but I can not filter what are the connections that were really established with the server and the reason for those that did not :-(

(30 Oct '17, 07:45) lsalazar

Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.

(30 Oct '17, 23:17) Jaap ♦