This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Good afternoon, I need to filter from the capture that I have made only the IPs that use TLS and RC4 as an algorithm. When I want to filter through Cipher Suite it brings me as a result IPs that have many more algorithms and what I need to know is specifically where the connection was established.

Thank you

asked 26 Oct '17, 11:08

lsalazar's gravatar image

lsalazar
6112
accept rate: 0%


Others may have something better; you could use the following display filter:

ssl.handshake.version >= 0x301 and ssl contains "rc4"

Value 0x301 and above covers TLS 1.0 - 1.3

permanent link

answered 26 Oct '17, 12:31

Papa%20Packet's gravatar image

Papa Packet
63
accept rate: 0%

edited 26 Oct '17, 12:33

HI thnks! but I can not filter what are the connections that were really established with the server and the reason for those that did not :-(

(30 Oct '17, 07:45) lsalazar

Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.

(30 Oct '17, 23:17) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×75
×1

question asked: 26 Oct '17, 11:08

question was seen: 908 times

last updated: 30 Oct '17, 23:17

p​o​w​e​r​e​d by O​S​Q​A