Hi there, >I have a group of systems that I need to monitor for use of >approved SSL cipher suites. Wireshark is not available on them. >tcpdump is the tool I need to use.
>Do you know, or know someone who would know, how to contruct a >tcpdump filter that matches only packets for the SSL handshake? > >Due to the volume of traffic on the systems I cannot capture >everything and filter later. > >The most useful hint found so far is at: >http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter I'll take a stab at your question from a slightly different angle. Rather than trying to get the BPF just right for something that is a few layers higher in the stack (and requires some stream reassembly logic), perhaps you could try a tool that operates on the stream. I know you mentioned that wireshark was not available. Are you able to install software on these systems? If so, then you may find that the ssldump program [0] provides you output detail that is closer to your desired question. I have never used ssldump in production, but it seems a handy little tool: ssldump -i "${INTERFACE}" -P The -i specifies interface. The -P says, don't get promiscuous. Hopefully it is in your upstream distribution. I find it in the stock repositories for both OpenSUSE-13.2 and Ubuntu-14.04.3. Need to capture the textual output? Use, tee, maybe? Die, RC4, die [1]. -Martin [0] http://ssldump.sourceforge.net/ [1] https://tools.ietf.org/html/rfc7465 -- Martin A. Brown http://linux-ip.net/ _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug