Determine SSL/TLS version using Wireshark

  • Using Wireshark, I am trying to determine the version of SSL/TLS that is being used with the encryption of data between a client workstation and another workstation on the same LAN running SQL Server. Documentation on this subject suggests to look at the ServerHello and ClientHello messages but I cannot see any such messages in the Wireshark message feed. I am using this display filter:

    tcp.len>1 && tcp.port==1433

    I can confirm that encryption of data is occurring and that the packets displayed using the above filter are related to the SQL Server data transfer that I am wanting to examine. This is what the Wireshark message feed looks like:

    enter image description here


    Here is the packet details pane of the 4th packet after invoking a database connection and selecting Follow-->TCP Stream:

    Packet Details Pane

    This is what I see when analyzing using Microsoft Message Analyzer. The TLS details pane is for the Client Hello packet.

    Microsoft Message Analyzer Main Pane

    Microsoft Message Analyzer TLS Details Pane

    It should be in the Hellos. Can you confirm that you have the initial handshake packets?

    What I have posted in the image above is all I can see.

    Is there something else I need to include in the display filter?

    I have looked extensively through the packet details panes and can't see anything that looks like an SSL or TLS version number

    If I remove the filters, I can see messages with protocol TLSv1.2 which have a "Secure Sockets Layer" node in the packet details pane which clearly shows the TLS version.

    But there is nothing like that in any of the packets that are related to SQL Server traffic.

    Can you filter for all packets that comprise the TLS handshake ssl.handshake

    Yes I can. Can I expect the handshakes related to the SQL Server connections to be excluded with the filter "tcp.len>1 && tcp.port==1433"? If so, how can I know which of the handshakes are related to SQL Server?

    Well, you should know at least it's IP address ;)

    I tried that. Filter "ssl.handshake && ip.addr== && ip.addr==" returned no messages.

    The server is 10 and the client is 6.

    If possible please share the pcap. You can't find the ssl handshake in Wireshark using the ssl filter as the TDS protocol uses SSL/TLS internally using SChannel(Windows internal implementation of SSL/TLS). You need to go through the structure of TDS protocol mentioned in TDS protocol documentation.

  • gowenfawr

    gowenfawr Correct answer

    5 years ago

    (Adding a new answer which should be definitive, leaving the old around as it's useful debug for how we got here. Credit for pointing to the actual answer in comments goes to @P4cK3tHuNt3R and @dave_thompson_085)

    Using Wireshark, I am trying to determine the version of SSL/TLS that is being used with the encryption of data between a client workstation and another workstation on the same LAN running SQL Server.

    You are viewing a connection which uses MS-TDS ("Tabular Data Stream Protocol"):

    ...the Tabular Data Stream Protocol, which facilitates interaction with
    a database server and provides for authentication and channel encryption
    negotiation; specification of requests in SQL (including Bulk Insert);
    invocation of a stored procedure, also known as a Remote Procedure Call
    (RPC); returning of data; and Transaction Manager Requests. It is an 
    application layer request/response protocol.

    If you view the TDS protocol documentation, it specifies that the SSL packets are encapsulated within a TDS wrapper:

    A TLS/SSL negotiation packet is a PRELOGIN (0x12) packet header encapsulated
    with TLS/SSL payload.

    In the Microsoft Message Analyzer screencap you posted, we can see the TDS header (boxed in Red, starts with 0x12), followed several bytes later by the TLS CLIENT_HELLO packet (boxed in Blue, starts with 0x16 0x03 0x03):

    TDS and encapsulated TLS headers

    • 0x16 is the TLS "Handshake" header indicator,
    • 0x03 0x03 is the TLS version (TLS 1.2, as per RFC 5246):

      The version of the protocol being employed. This document describes TLS Version 1.2, which uses the version { 3, 3 }. The version value 3.3 is historical, deriving from the use of {3, 1} for TLS 1.0.

    So the simple answer to your question, "determine the version of SSL/TLS", is "TLS 1.2".

    Now, I've seen varying reports as to whether Wireshark can properly parse TDS packets with encoded TLS. I think that the answer is what you started with - it will tell you TLS is there, but won't parse the details as it would with a native TLS session.

    As per this StackOverflow question, it appears that Microsoft Network Monitor is capable of parsing both levels of encapsulation. And a comment therein states that Microsoft Message Analyzer is the newer equivalent of that tool.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM