tcpdump mailing list archives
Re: Capture/decode SSL
From: "Dmitry Rubinstein" <Dmitry.Rubinstein () bhive net>
Date: Wed, 24 Jan 2007 03:28:19 -0500
I would also add that there exists a tool called ssldump (also operating on top of libpcap) that is indeed able (under certain conditions) to capture and decode SSL traffic. -----Original Message----- From: tcpdump-workers-owner () lists tcpdump org [mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of lemons_terry () emc com Sent: Tuesday, January 23, 2007 8:08 PM To: tcpdump-workers () lists tcpdump org Subject: Re: [tcpdump-workers] Capture/decode SSL Excellent information. Thanks, Guy! tl -----Original Message----- From: tcpdump-workers-owner () lists tcpdump org [mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of Guy Harris Sent: Tuesday, January 23, 2007 12:59 PM To: tcpdump-workers () lists tcpdump org Subject: Re: [tcpdump-workers] Capture/decode SSL lemons_terry () emc com wrote:
I need to capture and decode SSL traffic. Does tcpdump support this?
Tcpdump supports capturing *all* network traffic; if it captures and saves packets to a file, the packet contents are just a big bucket of bytes. Note that its default "snapshot length" is 68 bytes in versions built without IPv6 support and 96 bytes in version built with IPv6 support, so, by default, you will only get the first 68 or 96 bytes of each packet; to override that, use "-s 0" in modern versions of tcpdump (and "-s 65535" in older versions), which will give you up to 65535 bytes of each link-layer packet. It doesn't support decoding SSL, however. Recent versions of Wireshark can capture and decode SSL, complete with decryption in at least some cases, and can also read captures from tcpdump (its native capture file format is the same as that of tcpdump), as well as captures from a number of other network analyzers. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Capture/decode SSL lemons_terry (Jan 23)
- Re: Capture/decode SSL Guy Harris (Jan 23)
- Re: Capture/decode SSL lemons_terry (Jan 23)
- <Possible follow-ups>
- Re: Capture/decode SSL Dmitry Rubinstein (Jan 24)
- Re: Capture/decode SSL Guy Harris (Jan 23)