URL
http.host == “api.cordero.me”
DNS
dns.qry.name == “www.cordero.me”
dns.qry.name matches “.cordero.me”
dns.qry.name contains “cordero.me”
TCP Flags
tcp.flags.reset == 1
tcp.flags.push == 1
tcp.flags.syn == 1
IP Address
ip.addr == 172.16.200.1
ip.src == 172.16.200.1
ip.dst == 172.16.200.1
Ports
tcp.port eq 53
udp.port eq 53
TLS Handshakes
Client Hello:
tls.handshake.type == 1
Server Hello:
tls.handshake.type == 2
Certificate:
tls.handshake.type == 11
Code Options:
| TLS Message types | |
|---|---|
| Code | Description |
| 0 | HelloRequest |
| 1 | ClientHello |
| 2 | ServerHello |
| 4 | NewSessionTicket |
| 8 | EncryptedExtensions (TLS 1.3 only) |
| 11 | Certificate |
| 12 | ServerKeyExchange |
| 13 | CertificateRequest |
| 14 | ServerHelloDone |
| 15 | CertificateVerify |
| 16 | ClientKeyExchange |
| 20 | Finished |
TLS Handshake Extension Type
tls.handshake.extension.type == 0
TLS Handshake Extension Type Codes:
| Decimal Value | Description |
|---|---|
| 0 | Server Name (server_name) – Used for the Server Name Indication (SNI). |
| 1 | Max Fragment Length (max_fragment_length) |
| 2 | Client Certificate URL (client_certificate_url) |
| 3 | Trusted CA Keys (trusted_ca_keys) |
| 4 | Truncated HMAC (truncated_hmac) |
| 5 | Status Request (status_request) – Used for OCSP stapling. |
| 10 | Supported Groups (supported_groups) – Formerly known as “elliptic_curves”. |
| 11 | EC Point Formats (ec_point_formats) |
| 13 | Signature Algorithms (signature_algorithms) |
| 15 | Heartbeat (heartbeat) |
| 16 | Application Layer Protocol Negotiation (ALPN) – Used to negotiate protocols like HTTP/2. |
| 18 | Signed Certificate Timestamp (signed_certificate_timestamp) |
| 21 | Padding (padding) |
| 23 | Extended Master Secret (extended_master_secret) |
| 28 | Session Ticket (session_ticket) – Used for session resumption. |
| 35 | Key Share (key_share) |
| 41 | Pre-shared Key (pre_shared_key) |
| 43 | Supported Versions (supported_versions) – Especially relevant for TLS 1.3. |
| 51 | Token Binding (token_binding) |
| 13172 | Next Protocol Negotiation (next_protocol_negotiation) – An older version of what ALPN does now. |
TLS Cipher Suites
tls.handshake.ciphersuite
tls.handshake.ciphersuite == 0x1302
Cipher Suites Hex Options:
| Cipher Suite Name | Hex Value |
|---|---|
| TLS_AES_256_GCM_SHA384 | 0x1302 |
| TLS_CHACHA20_POLY1305_SHA256 | 0x1303 |
| TLS_AES_128_GCM_SHA256 | 0x1301 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 0xC030 |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xCCA8 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 0xC02C |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 0xC02F |
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 0xCCA9 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 0xC02B |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 0x009F |
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xCCAA |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 0x009E |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 0xC028 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 0xC027 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 0xC024 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 0xC023 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 0xC014 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 0xC013 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 0x006B |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 0x0067 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 0x0039 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 0x0033 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | 0x009D |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | 0x009C |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | 0x003D |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | 0x003C |
| TLS_RSA_WITH_AES_256_CBC_SHA | 0x0035 |
| TLS_RSA_WITH_AES_128_CBC_SHA | 0x002F |
TLS Handshake Version
tls.handshake.version == 0x0303
| Protocol Version | Filter Value |
|---|---|
| SSLv2 | 0x0002 |
| SSLv3 | 0x0300 |
| TLSv1.0 | 0x0301 |
| TLSv1.1 | 0x0302 |
| TLSv1.2 | 0x0303 |
| TLSv1.3 | 0x0304 |
TLS Record Content
Filters packets based on the TLS record layer’s content type (e.g., handshake, alert, application data).
tls.record.content_type
TLS SNI
Filters for the Server Name Indication (SNI) extension in the handshake, which is often used to indicate which hostname the client is trying to connect to, especially important for servers hosting multiple domains.
tls.handshake.extensions.server_name
Routing Protocols
| Traffic type | Capture filter(s) | Display filter(s) [wireshark] |
|---|---|---|
| RIPv2 | udp port 520 | udp.port==520 |
| EIGRP | ip proto eigrp | ip.proto==88 |
| OSPF | ip proto ospf | ip.proto==89 |
| LDP | udp port 646 or tcp port 646 | udp.port==646 or tcp.port==646 |
| PIM | ip proto pim | pim |
| IGMP | ip proto igmp | igmp |
| BGP | tcp port 179 | tcp.port==179 |
| ICMP | ip proto icmp | icmp |
Filter Operands
| Description | Wireshark Syntax |
|---|---|
| and | && |
| or | or |
| = | == |
| protocol and port | ip.port== udp.port== tcp.port== |
| source or dest ip | ip.src== ip.dst== |