Sniff SSL handshake using tshark

Solution 1:

Like this.

tshark -nn -i <interface> -s 0 -w mycapture.pcap <hostname> and port <portnumber>

Replace <interface> with the interface name to capture on (e.g., eth0). Replace <hostname> with the name or IP address of the remote host you want to capture packets for. Replace <portnumber> with the port the service is running on (probably 443).

You can also use tcpdump instead. Both Wireshark and tcpdump use libpcap for capturing, so you'll capture the exact same information. You can also copy the resulting file and open it in Wireshark on a different computer.

The command line flags for tcpdump and tshark are close enough that in most cases they can be used interchangeably.

Solution 2:

Assuming you already know how to use filters with tshark, just supply the following display filter:

ssl.handshake.type == 1

If you want all ssl traffic, simply put ssl as the filter.

You cannot use these directly in the capture filters as the capture filtering mechanism doesn't know if the payload is ssl or not.

Alternatively, if you know what port the ssl traffic is going through, you can use a capture filter for that port, eg if the ssl traffic is going on port 443, use filter port 443

For more reading refer :

  1. More extensive list of ssl display filters here.

  2. How to capture ssl using capture filters

An example command for you to capture ssl traffic in a human readable format and put it in a file will be :

tshark -i <interface> -c <no. of packets to capture> -V -R "ssl" > capturefile.txt

Or using capture filters

tshark -i <interface> -c <no. of packets to capture> -V -f "port 443" > capturefile.txt

Also refer to the tshark man page for more details.