How can you identify TLS versions negotiated in TLS 1.3 vs TLS 1.2?

The thing being tested here is how TLS negotiates its version and how that shows up in a capture. TLS 1.3 changes the way the version is negotiated and the handshake shape, so you can tell it apart from TLS 1.2 by looking for the handshake pattern and the version indicators used during the exchange. In TLS 1.3, the handshake follows a distinct flow and relies on a supported_versions mechanism to agree on the protocol version. You’ll also often see the ALPN extension used to settle the application protocol (for example, HTTP/2 or HTTP/3) as part of the handshake. In a capture, Wireshark will present this as a TLS 1.3 handshake, showing the individual messages that are specific to TLS 1.3 and the use of the supported_versions extension to negotiate 1.3. In TLS 1.2, the handshake is the more traditional, older flow. The ServerHello in TLS 1.2 carries the negotiated version (1.2), and the handshake messages follow the familiar pattern without the TLS 1.3-specific extensions. If you’re looking at the capture, you’ll see the ServerHello indicating TLS 1.2 and no TLS 1.3 “supported_versions” flow. So the best way to identify which version was negotiated is to examine the handshake pattern and the version negotiation details in the capture: TLS 1.3 shows a distinct handshake with the supported_versions extension (and often ALPN used for protocol negotiation), while TLS 1.2 shows the traditional ServerHello indicating TLS 1.2.