Wireshark-users: Re: [Wireshark-users] TLSv1 versus TLSv1.2 how to tell which is whch

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Tue, 3 Jan 2017 09:41:22 -0500


On Mon, Jan 2, 2017 at 11:42 AM, noah davids <ndav1@xxxxxxx> wrote:
I have 2 files, file-u.pcap and file-c.pacp, taken from 2 different clients. In file-u Wireshark reports a TLSv1 while in file-c Wireshark reports TLSv1.2. In both cases the upper vesion is 0x0301 and the lower version is 0x0303. I cannot see how Wireshark decides which TLSv1 and which is TLSv1.2. What am I not seeing?


output from Wireshark print of file-u.pcap

Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 284
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 280
            Version: TLS 1.2 (0x0303)
            Random
. . . .


output from Wireshark print of file-c.pcap

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 284
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 280
            Version: TLS 1.2 (0x0303)
            Random

Browsing the SSL dissector's code it appears that the SSL session version is based on not just the client hello but also the server hello.  So it would seem that in file-c.pcap the server has responded that TLS v1.2 is used while in file-u.pcap either the server's response was not seen or responded that TLS 1.0 will be used.