[PLUG] tcpdump whiz?
Louis Kowolowski
louisk at cryptomonkeys.org
Fri Feb 26 01:15:50 UTC 2016
From the link you posted:
tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)
This captures the SSL handshake (0x16), and the hello (0x01). Seems reasonable that you could delete the expression for hello and end up with:
tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)
Does this not work?
> On Feb 25, 2016, at 6:08 PM, Michael Rasmussen <michael at jamhome.us> wrote:
>
> I have a group of systems that I need to monitor for use of approved SSL cipher suites.
> Wireshark is not available on them. tcpdump is the tool I need to use.
>
> Do you know, or know someone who would know, how to contruct a tcpdump filter that matches
> only packets for the SSL handshake?
>
> Due to the volume of traffic on the systems I cannot capture everything and filter later.
>
> The most useful hint found so far is at:
> http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter
>
>
>
> --
> Michael Rasmussen, Portland Oregon
> Be Appropriate && Follow Your Curiosity
> People play badly for various reasons; the most common one is failure
> to judge what they currently produce as inadequate.
> ~ Tony Pay (on a Clarinet discussion list)
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
--
Louis Kowolowski louisk at cryptomonkeys.org
Cryptomonkeys: http://www.cryptomonkeys.com/
Making life more interesting for people since 1977
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20160225/b877d40b/attachment.asc>
More information about the PLUG
mailing list