tcpdump Server Hello Certificate Filter

If you just want to get the SSL Handshake Hello packet to see the contained SNI, the following filter seems to work for both TLS1.0 and TLS1.2 :

tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)

where 0x16 = Handshake (22) at the first byte field of the data

and 0x01 = Client Hello (1) at the 6th byte field of the data

The id-at-commonName label is shown by Wireshark, the wire format does not contain the text, but raw bytes. The name id-at-commonName is 03 in bytes. Following that, there is a UTF8String (12 = 0x0c) with a length of 9 bytes (localhost).

If you are trying to match host names from a TCP stream, keep the following in mind:

• Certificates may be valid for multiple subjects, you may find additional names in id-ce-subjectAltName (2.5.29.17)
• The real host that you are trying to connect to may be advertised in ClientHello handshake message via the Server Name Indication (SNI) extension.
• Multiple messages may be combined in a single record.

Finally, note that the SSL messages may be split over multiple TCP segments, making direct analysis even harder. Perhaps it is an option to capture to write a fixed count of packets to file with rotation enabled, manually parse with tshark afterwards, and finally remove the capture?

thanks @Nathan Chan, since I cannot comment due to no enough reputation, add parameters '-nnXSs0 -ttt' to make it readable.

tcpdump -i any -s 1500 '(tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)' -nnXSs0 -ttt