22

What would the filter expression be to just select the protocols where the protocol = TLSV1? Something obvious like protocol == "TLSV1" or TCP.protocol == "TLSV1" is apparently not the right way.

ip.proto == "TLSV1" says "ip.proto cannot accept strings as values"

Update - additional tips:

Another great but hidden search is on PacketLength: You can add packet length to your display by clicking "Edit Preferences" (menu or icon), and adding the PacketLength as a new column, but to filter on it you have to use the more cryptic: frame.len == ### where ### is your desired number. We were using this to determine how many packets had been sent and/or received, when you filter, the status-bar at the bottom of the screen shows the number of items matching the filter.

NealWalters
  • 1,273
  • 7
  • 18
  • 39

1 Answers1

32

ssl.record.version == 0x0301

That tells Wireshark to only display packets that are SSL conversations using TLS semantics.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • Wow, thanks! Seems like one could filter on the words on the screen instead of the crypto codes. – NealWalters Dec 28 '10 at 21:45
  • "ip.proto == 6"was somewhat close to what I wanted (but gives SMB and TCP as well as TLSV1) – NealWalters Dec 28 '10 at 21:47
  • 2
    "ip.proto" refers to the "Protocol" field in the IP header: http://www.wireshark.org/docs/dfref/i/ip.html. "ip.proto == 6" means "Any TCP packet carried over IPv4". Most of Wireshark's display filters correspond to a numeric value in a given protocol header. – Gerald Combs Dec 29 '10 at 00:39
  • @Gerald is right. IP Protocol Number is nothing like TCP Port number, which is why it said "ip.proto cannot accept strings." http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers – mfinni Dec 29 '10 at 01:02
  • 8
    FYI : Version Values dec hex ------------------------------------- SSL 3.0 3,0 0x0300 TLS 1.0 3,1 0x0301 TLS 1.1 3,2 0x0302 TLS 1.2 3,3 0x0303 – Jay D Oct 19 '15 at 23:50
  • source : http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session – Jay D Oct 19 '15 at 23:51
  • 4
    I think this answer should really be `ssl.handshake.version` instead of `ssl.record.version`. There's a difference between the TLS Record and TLS Handshake layers – Unglued Feb 13 '18 at 20:31