locked
Filtering on ServerHello TLS 1.0 negotations RRS feed

  • Question

  • Hi Everyone,

    What am I doing wrong using the following filter. I'm trying to find all client hellos with "registration" that are negotiating a TLS 1.0 ServerHello

    E.G

    ContainsBin(FrameData, ASCII, "registration") and tls.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ServerHello.Version.Minor == 0x1

    Nothing is returned despite there being plenty of clienthello with "registration"

    Thanks

    Thursday, September 5, 2019 2:30 AM

All replies

  • Hi , DoJu

    Have you checked TLS negotiation and capture packets?

    You can refer this to check.

    Also ,you can refer how to capture TLS packets?

    Other posts for your reference:

    https://superuser.com/questions/538130/filter-in-wireshark-for-tlss-server-name-indication-field

    https://ask.wireshark.org/question/647/capture-filters-ssl-handshake-or-hex/

    Best regards,

    Strive


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, September 5, 2019 8:19 AM
  • Hello DoJu,

    It might be a trivial observation, but your free-hand text refers to client hellos and the Network Monitor filter expression refers to a server hello version number field.

    A similar expression (with different text and using ClientHello rather than ServerHello) works for me. The filter expressions always apply to single packets, without regard to other packets (even in the same TCP connection); one cannot create a filter that refers to the text (SNI?) in some earlier packet (e.g. the client hello) and a version number in some later packet (e.g. the server hello).

    Gary



    Thursday, September 5, 2019 9:54 AM