Login/Register
Filter TLS 1.3 traffic in Wireshark
Asked Answered
Solved wiresharktls1.3
V

1

9

Is there a simple way to filter TLS 1.3 packets in Wireshark?

tls.record.version will not work because it usually contains a value of 0x0303 (TLS 1.2).

I assume that Wireshark recognizes TLS 1.3 by looking at the SupportedVersions extension in ServerHello messages, if the version is 0x0304 (TLS 1.3) it probably applies the protocol for the whole TLS flow.

TLSv1.3 is displayed in the "Protocol" column but I'm not sure which display filter to apply to filter these packets.

enter image description here

Viscometer answered 30/9, 2020 at 6:50 Comment(0)
E
3

There is no easy filter for TLSv1.3 given that TLSv1.3 tries to masquerade as TLSv1.2 for compatibility reasons.

Current as of 2020-10-05 (Wireshark may add this at some point)

Wireshark

In Wireshark, you can follow this TLSv1.3 stream by right clicking on a packet in the stream and then adding && tls to see only TLSv1.3 packets in the stream (tcp packets will show up in the stream). Together, this should be something like tcp stream eq 0 && tls.

Following stream

tshark

You can find this display filter easily with this bash script:

#!/bin/bash
filename=YOUR_PCAP.pcap
tcp_streams="$(tshark -r $filename -T fields -e tcp.stream \
  -Y 'tls.handshake.extensions.supported_version == 0x0304' | sort | uniq)"

display_filter="tls && ("
first_stream="true"
for s in $tcp_streams; do
  if [ $first_stream == "true" ]; then
    first_stream="false"
  else
    display_filter+=" || "
  fi
  display_filter+="tcp.stream eq $s"
done

display_filter+=")"
printf "Display filter for TLSv1.3:\n$display_filter\n"

Here, we

  • Get a sorted list of TLSv1.3 stream numbers
  • Iterate over those streams so that the display filter will look like
    tls && ($stream1 || $stream 2 || ...)

Creating your own Display Filter with Lua

Per the same question asked on Wireshark forums, there is a lua script that will do the same legwork as this bash script. This is a part of Wireshark documentation and is provided as example code which you could modify to your needs.

Eth answered 30/9, 2020 at 8:21 Comment(11)
Thanks for your answer. The method you suggest filters packets within a specific stream, but my question was how to filter all TLS 1.3 packets in a pcap fileViscometer
Your question was which display filter to use. You can iterate with this method to get the display filter you need. With tshark, this would be automatic, and then write the file for your purposes.Eth
To my knowledge, wireshark marks packets in a TLSv1.3 stream in this way.Eth
With tshark it might be easier to iterate, but with Wireshark it'd more difficult, especially with large pcap files that have many streamsViscometer
I've gone ahead and converted the tshark idea into a script which will generate your display filter. You can always try the wireshark forums where Lekensteyn (Peter Wu), who wrote this feature, may be able to provide a more definitive answer.Eth
Thanks, I've posted a question in the forum: ask.wireshark.org/question/19163/…Viscometer
@Viscometer I've added the link to the lua solution as well. If you think this answers your question (insofar as this display filter does not exist), please mark it is as such.Eth
Thanks @ross-jacobs the Lua solution is exactly what I was looking for. Thanks for adding it here. Maybe you can edit your response and put it first? I think this is the most straightforward optionViscometer
Per your question on wireshark forums, lua scripts are generally not shipped with Wireshark.Eth
Yes, I understand. But I think it's a much needed feature so maybe they can find some other way to ship it with WiresharkViscometer
Would you consider editing your answer and put the Lua option first? I think it's the most straightforward option out of the 3 you suggested so people may find it usefulViscometer

© 2022 - 2024 — McMap. All rights reserved.