I would also add that there exists a tool called ssldump (also operating on top of libpcap) that is indeed able (under certain conditions) to capture and decode SSL traffic.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 23, 2007 8:08 PM To: [email protected] Subject: Re: [tcpdump-workers] Capture/decode SSL Excellent information. Thanks, Guy! tl -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Harris Sent: Tuesday, January 23, 2007 12:59 PM To: [email protected] Subject: Re: [tcpdump-workers] Capture/decode SSL [EMAIL PROTECTED] wrote: > I need to capture and decode SSL traffic. Does tcpdump support this? Tcpdump supports capturing *all* network traffic; if it captures and saves packets to a file, the packet contents are just a big bucket of bytes. Note that its default "snapshot length" is 68 bytes in versions built without IPv6 support and 96 bytes in version built with IPv6 support, so, by default, you will only get the first 68 or 96 bytes of each packet; to override that, use "-s 0" in modern versions of tcpdump (and "-s 65535" in older versions), which will give you up to 65535 bytes of each link-layer packet. It doesn't support decoding SSL, however. Recent versions of Wireshark can capture and decode SSL, complete with decryption in at least some cases, and can also read captures from tcpdump (its native capture file format is the same as that of tcpdump), as well as captures from a number of other network analyzers. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
