CODEWITHSUNDEEP
network-programmingsslsniffingtcpdump
Pass
Pass

Reputation: 1501

tcpdump to filter ssl packets

I need to filter out all SSL packets using tcpdump. I know that only the first packet can be recognized as being ssl. Is it possible to match against the first packet and then filter out the rest of the SSL stream?

Upvotes: 4

Views: 18195

Answers (2)

arif
arif

Reputation: 669

Yes, you can. You can follow the commands below to filter the first packet of SSL traffic,

Method 1

[root@arif]# tcpdump -i eth0 src host 192.168.0.2 and dst host 40.113.200.201 and dst port 443 -c 1

Where,

  • -i : is to mention the interface
  • src host : is the ip of your localhost
  • dst host : is the ip of your destination host
  • dst port : is the destination port where the SSL service is served. You can change the default (443) port according to your configuration.
  • -c : is used to exit tcpdump after receiving count packets.

-c flag is the main component of your filtering as this flag tells tcpdump to exit after specific packet count. Here, I have used 1 to exit tcpdump after capturing only one (first) packet.

Method 2

The above solution will only work if you initiate tcpdump every time. If you want to filter out the only first packet of each SSL stream then follow the command bellow,

[root@arif]# tcpdump -li eth0 src host 192.168.0.2 and dst host 40.113.200.201 and port 443 and tcp[13] == 2

Where,

  • l : "Make stdout line buffered. Useful if you want to see the data while capturing it." This will help you to grep/tee/awk the output.

  • src host dst host : You might ignore these filtering if you don't want to specify source and destination ip.

  • tcp[13] == 2 In TCP header octate no. 13 is the octate used for setting flags. To set SYN bit 0 0 0 0 0 0 1 0 combination is used (have a look at the diagram bellow) which is decimal 2. So this will help you to filter only the SYN packets which is the first packet of an SSL stream.

 |C|E|U|A|P|R|S|F|
 |---------------|
 |0 0 0 0 0 0 1 0|
 |---------------|

So the above configuration should work for most of the scenerio.

Upvotes: 0

Stellarator
Stellarator

Reputation: 440

You can filter a tcp stream in tcpdump too, this site explains how to use tcpdump in this way, I hope it helps: tcpdump.org/tcpdump_man.html

You will have to tweak it a bit, but it should work.

Also, there is a dedicated SSL_DUMP utility

Upvotes: 2

Related Questions