Is there a simple way to filter TLS 1.3 packets in Wireshark?
tls.record.version
will not work because it usually contains a value of 0x0303
(TLS 1.2).
I assume that Wireshark recognizes TLS 1.3 by looking at the SupportedVersions extension in ServerHello messages, if the version is 0x0304
(TLS 1.3) it probably applies the protocol for the whole TLS flow.
TLSv1.3
is displayed in the "Protocol" column but I'm not sure which display filter to apply to filter these packets.
There is no easy filter for TLSv1.3 given that TLSv1.3 tries to masquerade as TLSv1.2 for compatibility reasons.
Current as of 2020-10-05 (Wireshark may add this at some point)
Wireshark
In Wireshark, you can follow this TLSv1.3 stream by right clicking on a packet in the stream and then adding
&& tls
to see only TLSv1.3 packets in the stream (tcp packets will show up in the stream). Together, this should be something liketcp stream eq 0 && tls
.tshark
You can find this display filter easily with this bash script:
Here, we
tls && ($stream1 || $stream 2 || ...)
Creating your own Display Filter with Lua
Per the same question asked on Wireshark forums, there is a lua script that will do the same legwork as this bash script. This is a part of Wireshark documentation and is provided as example code which you could modify to your needs.