I have a server to which many clients connect using SSL. Recently I'm observing SSL handshake errors in the server logs (ex SSL MAC error). The error itself is not important, but I want to see why some clients are able to connect while others are failing, and also need to identify which clients are failing.
For debugging this issue, I want to capture all SSL handshakes happening at server and since I don't know when the problematic clients connect, I don't want to capture all the traffic till that happens. I just want to capture all the SSL handshakes and later analyze them with Wireshark. Assume that I only have access to tcpdump and no other tools for capturing.
Despite the name, tcpdump can also be used to capture non-TCP traffic, including UDP and ICMP. One of this tool's primary benefits is its wide availability, making it the de facto standard format for captured network traffic.
In Ethernet mode, the packet capture of Wireshark was equal to Tcpdump if the network is having less traffic, that is less than 1000 packets in 60 seconds. If the number of packets increases, Wireshark captures more with 0.5-1% gain. This analysis shows that Wireshark beats Tcpdump in the speed of packet capturing.
I don't know what exactly you are calling handshake, but I propose this command that will probably capture more than 95% of what you can want:
tcpdump -ni eth0 "tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"
Now what does it do:
tcp[12]
means capturing the 13th byte of the tcp packet, corresponding to first half being the offset, second half being reserved.
The offset, once multiplied by 4 gives the byte count of the TCP header, meaning ((tcp[12] & 0xf0) >> 2)
provides the size of the TCP header.
The first byte of a TLS packet define the content type. The value 22 (0x16 in hexadecimal) has been defined as being "Handshake" content.
As a consequence, tcp[((tcp[12] & 0xf0) >> 2)] = 0x16
captures every packet having the first byte after the TCP header set to 0x16
.
More filtering can be performed, but this strictly answers your question.
I think the accepted answer is a premature optimization with a fragile solution.
SSL handshake occurs as soon at the connection is established.
Easy approach: start the capture before the client connects to the remote host, and capture the first, full N packets.
For example, for 300 packets:
/usr/sbin/tcpdump -i eth0 -p -s 65535 -c 300 "tcp and host 1.2.3.4 and port 443"
This way wireshark has the full payload of the SSL handshake, can decode it and show you all the bits.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With