1. Filter for all TLS handshake packets
tls.handshake
Shows all handshake records including Certificate, Client Hello, Server Hello, etc.
2. Filter specifically for Server Certificates
tls.handshake.type == 11
11 = Certificate message from server to client.
Useful to view and dissect certificate fields in packet details.
3. Filter for Certificate Requests (client auth scenarios)
tls.handshake.type == 15
Server requesting client certificate.
4. Filter for Certificate Verify
tls.handshake.type == 15
Client proving possession of private key during mutual TLS.5. Filter for TLS Alerts (including cert failures)
tls.alert_message
Shows all alert messages. To focus on fatal certificate alerts:tls.alert_message.level == 2
6. Filter for Specific Certificate-Related Alerts
| Problem | Wireshark Filter | Alert Code | Description |
|---|---|---|---|
| Bad Certificate | tls.alert_message.desc == 42 | 42 | Certificate rejected (e.g. invalid signature, policy failure). |
| Unsupported Certificate | tls.alert_message.desc == 43 | 43 | Certificate type not supported by peer. |
| Certificate Revoked | tls.alert_message.desc == 44 | 44 | Certificate has been revoked. |
| Certificate Expired | tls.alert_message.desc == 45 | 45 | Certificate validity period expired. |
| Certificate Unknown | tls.alert_message.desc == 46 | 46 | Other certificate problem not covered by specific alerts. |
| Unknown CA | tls.alert_message.desc == 48 | 48 | Issuing CA not trusted by the client or server. |
| Access Denied | tls.alert_message.desc == 49 | 49 | Access denied due to policy (not a technical cert error per se). |
7. Filter for handshake failure in general
tls.alert_message.desc == 40
Generic handshake failure, can include cert issues.
8. Combined useful filter
tls.handshake.type == 11 || tls.alert_message
9. Filter for specific hostname (SNI)
tls.handshake.extensions_server_name