Re: [PLUG] tcpdump whiz?
I may be able to wrangle an agreement to install ssldump. Life will be easier if I can get it done with tcpdump. The goal is to capture the SSL handshake packets and then check for which devices are not using approved cipher suites. A make my life really easy solution would spit out the IP address of the sever and the cipher suite agreed on with the client. Though in our case both entities are servers or load balancers, it's not client in the end user sense. On Thu, Feb 25, 2016 at 07:43:56PM -0800, Martin A. Brown wrote: > > Hi there, > > >I have a group of systems that I need to monitor for use of > >approved SSL cipher suites. Wireshark is not available on them. > >tcpdump is the tool I need to use. > > >Do you know, or know someone who would know, how to contruct a > >tcpdump filter that matches only packets for the SSL handshake? > > > >Due to the volume of traffic on the systems I cannot capture > >everything and filter later. > > > >The most useful hint found so far is at: > >http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter > > I'll take a stab at your question from a slightly different angle. > > Rather than trying to get the BPF just right for something that is a > few layers higher in the stack (and requires some stream > reassembly logic), perhaps you could try a tool that operates on the > stream. > > I know you mentioned that wireshark was not available. Are you able > to install software on these systems? If so, then you may find that > the ssldump program [0] provides you output detail that is closer to > your desired question. > > I have never used ssldump in production, but it seems a handy little > tool: > > ssldump -i "${INTERFACE}" -P > > The -i specifies interface. The -P says, don't get promiscuous. > Hopefully it is in your upstream distribution. I find it in the > stock repositories for both OpenSUSE-13.2 and Ubuntu-14.04.3. > > Need to capture the textual output? Use, tee, maybe? > > Die, RC4, die [1]. > > -Martin > > [0] http://ssldump.sourceforge.net/ > [1] https://tools.ietf.org/html/rfc7465 > > -- > Martin A. Brown > http://linux-ip.net/ > ___ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity The weak can never forgive. Forgiveness is the attribute of the strong. ~ Mahatma Gandhi ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] tcpdump whiz?
Hi there, >I have a group of systems that I need to monitor for use of >approved SSL cipher suites. Wireshark is not available on them. >tcpdump is the tool I need to use. >Do you know, or know someone who would know, how to contruct a >tcpdump filter that matches only packets for the SSL handshake? > >Due to the volume of traffic on the systems I cannot capture >everything and filter later. > >The most useful hint found so far is at: >http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter I'll take a stab at your question from a slightly different angle. Rather than trying to get the BPF just right for something that is a few layers higher in the stack (and requires some stream reassembly logic), perhaps you could try a tool that operates on the stream. I know you mentioned that wireshark was not available. Are you able to install software on these systems? If so, then you may find that the ssldump program [0] provides you output detail that is closer to your desired question. I have never used ssldump in production, but it seems a handy little tool: ssldump -i "${INTERFACE}" -P The -i specifies interface. The -P says, don't get promiscuous. Hopefully it is in your upstream distribution. I find it in the stock repositories for both OpenSUSE-13.2 and Ubuntu-14.04.3. Need to capture the textual output? Use, tee, maybe? Die, RC4, die [1]. -Martin [0] http://ssldump.sourceforge.net/ [1] https://tools.ietf.org/html/rfc7465 -- Martin A. Brown http://linux-ip.net/ ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] tcpdump whiz?
From the link you posted: tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) This captures the SSL handshake (0x16), and the hello (0x01). Seems reasonable that you could delete the expression for hello and end up with: tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) Does this not work? > On Feb 25, 2016, at 6:08 PM, Michael Rasmussenwrote: > > I have a group of systems that I need to monitor for use of approved SSL > cipher suites. > Wireshark is not available on them. tcpdump is the tool I need to use. > > Do you know, or know someone who would know, how to contruct a tcpdump filter > that matches > only packets for the SSL handshake? > > Due to the volume of traffic on the systems I cannot capture everything and > filter later. > > The most useful hint found so far is at: > http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter > > > > -- > Michael Rasmussen, Portland Oregon >Be Appropriate && Follow Your Curiosity > People play badly for various reasons; the most common one is failure > to judge what they currently produce as inadequate. >~ Tony Pay (on a Clarinet discussion list) > ___ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug -- Louis Kowolowskilou...@cryptomonkeys.org Cryptomonkeys: http://www.cryptomonkeys.com/ Making life more interesting for people since 1977 signature.asc Description: Message signed with OpenPGP using GPGMail ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] tcpdump whiz?
On Thu, Feb 25, 2016 at 04:24:34PM -0800, Ishak Micheil wrote: > Jim Hassing knows. No he doesn't. We've already chatted about it. For those of you scratching your heads over that exchange, Jim, Ishak, and I share a common employer. > On Feb 25, 2016 16:11, "Michael Rasmussen"wrote: > > > I have a group of systems that I need to monitor for use of approved SSL > > cipher suites. > > Wireshark is not available on them. tcpdump is the tool I need to use. > > > > Do you know, or know someone who would know, how to contruct a tcpdump > > filter that matches > > only packets for the SSL handshake? > > > > Due to the volume of traffic on the systems I cannot capture everything > > and filter later. > > > > The most useful hint found so far is at: > > > > http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter > > > > > > > > -- > > Michael Rasmussen, Portland Oregon > > Be Appropriate && Follow Your Curiosity > > People play badly for various reasons; the most common one is failure > > to judge what they currently produce as inadequate. > > ~ Tony Pay (on a Clarinet discussion list) > > ___ > > PLUG mailing list > > PLUG@lists.pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > ___ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity Too often we enjoy the comfort of opinion without the discomfort of thought. ~ John F. Kennedy ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug