tcpdump mailing list archives

Re: tcpdump-workers Digest, Vol 72, Issue 3

From: Steve Bourland <sbourland () swri edu>
Date: Sun, 8 Jul 2018 22:19:50 -0500 (CDT)

If you have the server's certificate, wireshark has the capability todecrypt SSL traffic captured with tcpdump, but you must have thecertificate and the start of the tcp session.


On Sun, 8 Jul 2018, tcpdump-workers-request () lists tcpdump org wrote:

Send tcpdump-workers mailing list submissions to
        tcpdump-workers () lists tcpdump org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
or, via email, send a message with subject or body 'help' to
        tcpdump-workers-request () lists tcpdump org

You can reach the person managing the list at
        tcpdump-workers-owner () lists tcpdump org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of tcpdump-workers digest..."


Today's Topics:

  1. Re: Packet capture of SSL traffic (Kaushal Shriyan)


----------------------------------------------------------------------

Message: 1
Date: Sun, 8 Jul 2018 10:53:40 +0530
From: Kaushal Shriyan <kaushalshriyan () gmail com>
To: guy () alum mit edu
Cc: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] Packet capture of SSL traffic
Message-ID:
        <CAD7Ssm87j8SFKPC6Hxh+O3i8M0dtGoLzfZgjUnWqrzuDOZYj1w () mail gmail com>
Content-Type: text/plain; charset="UTF-8"

Thanks! Guy Harris for the explanation. Are there any tools which can decrypt
SSL traffic once i do the packet capture of SSL traffic using tcpdump?

I look forward to hearing from you.

Best Regards,

Kaushal

On Sat, Jul 7, 2018 at 6:23 AM Guy Harris <guy () alum mit edu> wrote:

On Jul 5, 2018, at 11:18 AM, Kaushal Shriyan <kaushalshriyan () gmail com>
wrote:

> Is there a way to run tcpdump to do packet capture on SSL traffic?

Yes.  Plug the machine running tcpdump into a network on which SSL traffic
is being sent, in a fashion that allows it to see that traffic (bearing in
mind, for example, that capturing third-party traffic on a switched network
may be difficult or impossible), and run tcpdump, with the -w flag, so that
it saves the traffic to a file, and either with no filter or with a filter
that matches the SSL traffic.

If you mean "is there a way to run tcpdump so that it can *dissect* SSL
traffic", rather than just being able to put undissected raw packet
contents, including SSL packets, into a file to be read by another program,
the answer is "no" - tcpdump doesn't currently include the ability to
decrypt SSL traffic.

(I.e., there's more to being able to analyze traffic than just being able
to capture it....)



------------------------------

Subject: Digest Footer

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


------------------------------

End of tcpdump-workers Digest, Vol 72, Issue 3
**********************************************

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Re: tcpdump-workers Digest, Vol 72, Issue 3 Steve Bourland (Jul 08)
- Re: tcpdump-workers Digest, Vol 72, Issue 3 Michael Richardson (Jul 08)