tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Capture/decode SSL

From: "Dmitry Rubinstein" <Dmitry.Rubinstein () bhive net>
Date: Wed, 24 Jan 2007 03:28:19 -0500
I would also add that there exists a tool called ssldump (also operating
on top of libpcap) that is indeed able (under certain conditions) to
capture and decode SSL traffic.

-----Original Message-----
From: tcpdump-workers-owner () lists tcpdump org
[mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of
lemons_terry () emc com
Sent: Tuesday, January 23, 2007 8:08 PM
To: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] Capture/decode SSL

Excellent information.  Thanks, Guy!
tl 

-----Original Message-----
From: tcpdump-workers-owner () lists tcpdump org
[mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of Guy Harris
Sent: Tuesday, January 23, 2007 12:59 PM
To: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] Capture/decode SSL

lemons_terry () emc com wrote:


I need to capture and decode SSL traffic.  Does tcpdump support this?


Tcpdump supports capturing *all* network traffic; if it captures and
saves packets to a file, the packet contents are just a big bucket of
bytes.  Note that its default "snapshot length" is 68 bytes in versions
built without IPv6 support and 96 bytes in version built with IPv6
support, so, by default, you will only get the first 68 or 96 bytes of
each packet; to override that, use "-s 0" in modern versions of tcpdump
(and "-s 65535" in older versions), which will give you up to 65535
bytes of each link-layer packet.

It doesn't support decoding SSL, however.  Recent versions of Wireshark
can capture and decode SSL, complete with decryption in at least some
cases, and can also read captures from tcpdump (its native capture file
format is the same as that of tcpdump), as well as captures from a
number of other network analyzers.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: