[PLUG] tcpdump whiz?

Louis Kowolowski louisk at cryptomonkeys.org
Fri Feb 26 01:15:50 UTC 2016


From the link you posted:

tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)

This captures the SSL handshake (0x16), and the hello (0x01). Seems reasonable that you could delete the expression for hello and end up with:

tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)

Does this not work?

> On Feb 25, 2016, at 6:08 PM, Michael Rasmussen <michael at jamhome.us> wrote:
> 
> I have a group of systems that I need to monitor for use of approved SSL cipher suites.
> Wireshark is not available on them. tcpdump is the tool I need to use.
> 
> Do you know, or know someone who would know, how to contruct a tcpdump filter that matches
> only packets for the SSL handshake?
> 
> Due to the volume of traffic on the systems I cannot capture everything and filter later.
> 
> The most useful hint found so far is at:
> http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter
> 
> 
> 
> --
>      Michael Rasmussen, Portland Oregon
>    Be Appropriate && Follow Your Curiosity
> People play badly for various reasons; the most common one is failure
> to judge what they currently produce as inadequate.
>    ~ Tony Pay (on a Clarinet discussion list)
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

--
Louis Kowolowski                                louisk at cryptomonkeys.org
Cryptomonkeys:                                   http://www.cryptomonkeys.com/

Making life more interesting for people since 1977

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20160225/b877d40b/attachment.asc>


More information about the PLUG mailing list