tcpdump mailing list archives
Re: Capture/decode SSL
From: Guy Harris <guy () alum mit edu>
Date: Tue, 23 Jan 2007 09:59:16 -0800
lemons_terry () emc com wrote:
I need to capture and decode SSL traffic. Does tcpdump support this?
Tcpdump supports capturing *all* network traffic; if it captures and saves packets to a file, the packet contents are just a big bucket of bytes. Note that its default "snapshot length" is 68 bytes in versions built without IPv6 support and 96 bytes in version built with IPv6 support, so, by default, you will only get the first 68 or 96 bytes of each packet; to override that, use "-s 0" in modern versions of tcpdump (and "-s 65535" in older versions), which will give you up to 65535 bytes of each link-layer packet.
It doesn't support decoding SSL, however. Recent versions of Wireshark can capture and decode SSL, complete with decryption in at least some cases, and can also read captures from tcpdump (its native capture file format is the same as that of tcpdump), as well as captures from a number of other network analyzers.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Capture/decode SSL lemons_terry (Jan 23)
- Re: Capture/decode SSL Guy Harris (Jan 23)
- Re: Capture/decode SSL lemons_terry (Jan 23)
- <Possible follow-ups>
- Re: Capture/decode SSL Dmitry Rubinstein (Jan 24)
- Re: Capture/decode SSL Guy Harris (Jan 23)