How to Filter TLS 1.0 Traffic in Wireshark: Display Filters and Packet Length Analysis


2 views

When analyzing network traffic, filtering TLS protocols can be tricky in Wireshark. The intuitive approach of using protocol == "TLSV1" or similar string comparisons doesn't work because Wireshark handles protocol filtering differently.

To filter for TLS 1.0 traffic specifically, use:

ssl.record.version == 0x0301

This works because TLS 1.0 is represented by the hex value 0x0301 in the SSL/TLS record layer. For other versions:

  • TLS 1.1: ssl.record.version == 0x0302
  • TLS 1.2: ssl.record.version == 0x0303
  • TLS 1.3: ssl.record.version == 0x0304

Wireshark's packet length filtering is another powerful but less obvious feature. To filter packets by size:

frame.len == [size_in_bytes]

For example, to find all packets exactly 1500 bytes long:

frame.len == 1500

You can also use comparison operators:

frame.len > 1000
frame.len <= 500

Here's how to combine these filters to analyze a TLS 1.0 handshake:

ssl.record.version == 0x0301 and frame.len > 100 and frame.len < 2000

This will show TLS 1.0 packets between 100-2000 bytes, which typically captures the handshake process while excluding smaller control packets.

To make packet length visible in your main display:

  1. Go to Edit > Preferences
  2. Select "Columns" in the left panel
  3. Click "+" to add a new column
  4. Set type to "Packet length"

For more complex analysis, you can combine protocol and length filters with other criteria:

ssl.record.version == 0x0301 and tcp.port == 443 and frame.len > 1000

This filters for large TLS 1.0 packets on the standard HTTPS port.

When analyzing encrypted traffic in Wireshark, identifying specific TLS versions is crucial for security auditing and protocol analysis. For TLS 1.0 traffic, you need to use the proper display filter syntax that examines the SSL/TLS handshake records.

Instead of trying to filter on protocol names directly, you should examine the SSL record layer version field:

ssl.record.version == 0x0301

This works because TLS 1.0 is represented by the hex value 0x0301 in the SSL/TLS record header. Here's why this approach is better:

  • Directly examines the protocol version field in the handshake
  • Works for both ClientHello and ServerHello messages
  • Filters the actual protocol version rather than just port numbers

Combine the version filter with other useful criteria:

# Filter only TLS 1.0 handshake messages
ssl.handshake.type == 1 && ssl.record.version == 0x0301

# Find TLS 1.0 traffic on specific ports
(ssl.record.version == 0x0301) && (tcp.port == 443 || tcp.port == 993)

To examine packet sizes in your TLS traffic analysis, use these techniques:

# Add PacketLength as a column:
1. Go to Edit → Preferences
2. Select "Columns" in the left panel
3. Click "+" and choose "Packet Length" from the dropdown

# Filter by packet size:
frame.len == 1500    # Exact size
frame.len > 1000     # Minimum size
frame.len < 500      # Maximum size

For comprehensive analysis, combine version and size filters:

# Find large TLS 1.0 packets
(ssl.record.version == 0x0301) && (frame.len > 1400)

# Identify small TLS 1.0 handshakes
(ssl.handshake.type == 1) && (ssl.record.version == 0x0301) && (frame.len < 200)

To verify your filters are working correctly:

  1. Apply the filter and check the status bar count
  2. Right-click a matching packet → Follow → TLS Stream
  3. Examine the "Handshake Protocol: Client Hello" details

Remember that TLS 1.0 is considered insecure and should be disabled in production environments. These filters are primarily useful for:

  • Security audits and compliance checks
  • Legacy system troubleshooting
  • Protocol version analysis