tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Capture/decode SSL

From: lemons_terry () emc com
Date: Tue, 23 Jan 2007 13:07:57 -0500
Excellent information.  Thanks, Guy!
tl 

-----Original Message-----
From: tcpdump-workers-owner () lists tcpdump org
[mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of Guy Harris
Sent: Tuesday, January 23, 2007 12:59 PM
To: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] Capture/decode SSL

lemons_terry () emc com wrote:


I need to capture and decode SSL traffic.  Does tcpdump support this?


Tcpdump supports capturing *all* network traffic; if it captures and 
saves packets to a file, the packet contents are just a big bucket of 
bytes.  Note that its default "snapshot length" is 68 bytes in versions 
built without IPv6 support and 96 bytes in version built with IPv6 
support, so, by default, you will only get the first 68 or 96 bytes of 
each packet; to override that, use "-s 0" in modern versions of tcpdump 
(and "-s 65535" in older versions), which will give you up to 65535 
bytes of each link-layer packet.

It doesn't support decoding SSL, however.  Recent versions of Wireshark 
can capture and decode SSL, complete with decryption in at least some 
cases, and can also read captures from tcpdump (its native capture file 
format is the same as that of tcpdump), as well as captures from a 
number of other network analyzers.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: