Sniff SSL handshake using tshark
Solution 1:
Like this.
tshark -nn -i <interface> -s 0 -w mycapture.pcap <hostname> and port <portnumber>
Replace <interface>
with the interface name to capture on (e.g., eth0
). Replace <hostname>
with the name or IP address of the remote host you want to capture packets for. Replace <portnumber>
with the port the service is running on (probably 443
).
You can also use tcpdump
instead. Both Wireshark and tcpdump
use libpcap for capturing, so you'll capture the exact same information. You can also copy the resulting file and open it in Wireshark on a different computer.
The command line flags for tcpdump
and tshark
are close enough that in most cases they can be used interchangeably.
Solution 2:
Assuming you already know how to use filters with tshark, just supply the following display filter:
ssl.handshake.type == 1
If you want all ssl traffic, simply put ssl
as the filter.
You cannot use these directly in the capture filters as the capture filtering mechanism doesn't know if the payload is ssl or not.
Alternatively, if you know what port the ssl traffic is going through, you can use a capture filter for that port, eg if the ssl traffic is going on port 443, use filter port 443
For more reading refer :
More extensive list of ssl display filters here.
How to capture ssl using capture filters
An example command for you to capture ssl traffic in a human readable format and put it in a file will be :
tshark -i <interface> -c <no. of packets to capture> -V -R "ssl" > capturefile.txt
Or using capture filters
tshark -i <interface> -c <no. of packets to capture> -V -f "port 443" > capturefile.txt
Also refer to the tshark man page for more details.