Filter in Wireshark for TLS's Server Name Indication field
Solution 1
Shawn E's answer is probably the correct answer but my wireshark version doesnt have that filter. Following filters do exists, however:
To check if the SNI field exists:
ssl.handshake.extension.type == 0
or
ssl.handshake.extension.type == "server_name"
To check if an extension contains certain domain:
ssl.handshake.extension.data contains "twitter.com"
Solution 2
ssl.handshake.extensions_server_name
Solution 3
Newer Wireshark has R-Click context menu with filters.
Find Client Hello with SNI for which you'd like to see more of the related packets.
Drill down to handshake / extension : server_name details and from R-click choose Apply as Filter.
See attached example caught in version 2.4.4
Solution 4
For a more complete example, here's the command to show SNIs used in new connections:
tshark -p -Tfields -e ssl.handshake.extensions_server_name \
-Y 'ssl.handshake.extension.type == "server_name"'
(This is what your ISP can easily see in your traffic.)
Solution 5
As google shows this up as first hit, the syntax has changed a bit (ssl renamed to tls):
tshark -r FILENAME.pcap -Tfields -e tls.handshake.extensions_server_name -Y 'tls.handshake.extension.type == 0'
Related videos on Youtube
12 : 13
10 : 38
07 : 56
07 : 51
12 : 55
palindrom
Updated on September 18, 2022Comments
-
palindrom over 1 year
Does wireshark have a filter for TLS's Server Name Indication field?
-
nixda over 11 yearsHello Shawn E. Although this might answer the question, can you provide some additional explanations? Maybe that would be helpful for others.
-
Alexey Andronov over 4 yearshere's what worked for me:tls.handshake.extensions_server_name contains "twitter.com"
