4

I need to filter out all SSL packets using tcpdump. I know that only the first packet can be recognized as being ssl. Is it possible to match against the first packet and then filter out the rest of the SSL stream?

Pass
  • 1,501
  • 4
  • 21
  • 39
  • So you want to match only the first packet, or based on the first packet you want to capture all of the others? – Corbin Nov 22 '11 at 09:19
  • no, I want to filter out all SSL packets – Pass Nov 22 '11 at 09:23
  • 1
    Can't you do it using the https port? – Some programmer dude Nov 22 '11 at 09:29
  • Wireshark has a superb "follow stream" button that will make easily visible the one stream when you click on one of the packets in the stream, but I think it does all this processing off-line. – sarnold Nov 22 '11 at 09:34
  • yep, this is an awesome wireshark feature but I need to do it from tcpdump. in other words, I need this information programatically. – Pass Nov 22 '11 at 09:36

2 Answers2

2

You can filter a tcp stream in tcpdump too, this site explains how to use tcpdump in this way, I hope it helps: tcpdump.org/tcpdump_man.html

You will have to tweak it a bit, but it should work.

Also, there is a dedicated SSL_DUMP utility

Stellarator
  • 440
  • 2
  • 8
0

Yes, you can. You can follow the commands below to filter the first packet of SSL traffic,

Method 1

[root@arif]# tcpdump -i eth0 src host 192.168.0.2 and dst host 40.113.200.201 and dst port 443 -c 1

Where,

  • -i : is to mention the interface
  • src host : is the ip of your localhost
  • dst host : is the ip of your destination host
  • dst port : is the destination port where the SSL service is served. You can change the default (443) port according to your configuration.
  • -c : is used to exit tcpdump after receiving count packets.

-c flag is the main component of your filtering as this flag tells tcpdump to exit after specific packet count. Here, I have used 1 to exit tcpdump after capturing only one (first) packet.

Method 2

The above solution will only work if you initiate tcpdump every time. If you want to filter out the only first packet of each SSL stream then follow the command bellow,

[root@arif]# tcpdump -li eth0 src host 192.168.0.2 and dst host 40.113.200.201 and port 443 and tcp[13] == 2

Where,

  • l : "Make stdout line buffered. Useful if you want to see the data while capturing it." This will help you to grep/tee/awk the output.

  • src host dst host : You might ignore these filtering if you don't want to specify source and destination ip.

  • tcp[13] == 2 In TCP header octate no. 13 is the octate used for setting flags. To set SYN bit 0 0 0 0 0 0 1 0 combination is used (have a look at the diagram bellow) which is decimal 2. So this will help you to filter only the SYN packets which is the first packet of an SSL stream.

 |C|E|U|A|P|R|S|F|
 |---------------|
 |0 0 0 0 0 0 1 0|
 |---------------|

So the above configuration should work for most of the scenerio.

arif
  • 579
  • 1
  • 7
  • 21