8

How do I get a dump of a SSL handshake in a human readable format using tshark? I need to provide this to a vendor for debugging a failed SSL handshake problem.

This needs to be done in tshark, not wireshark as it's being done on a remote server with no GUI.

goji
  • 245
  • 1
  • 3
  • 9

2 Answers2

4

Like this.

tshark -nn -i <interface> -s 0 -w mycapture.pcap <hostname> and port <portnumber>

Replace <interface> with the interface name to capture on (e.g., eth0). Replace <hostname> with the name or IP address of the remote host you want to capture packets for. Replace <portnumber> with the port the service is running on (probably 443).

You can also use tcpdump instead. Both Wireshark and tcpdump use libpcap for capturing, so you'll capture the exact same information. You can also copy the resulting file and open it in Wireshark on a different computer.

The command line flags for tcpdump and tshark are close enough that in most cases they can be used interchangeably.

bahamat
  • 6,193
  • 23
  • 28
  • 1
    I find this solution particularly helpful in real-life. Wireshark is great because a GUI is really helpful with complex data like packet traces, and since there's no rule that says you have to analyse the data on the same machine on which it's captured, I do this often. Capture the data on the headless box, with a wide tcpdump statement, then feed it all into wireshark on my desktop for precise analysis later. You will also need the client's SSL key if you want to look inside the packets. – MadHatter Aug 03 '12 at 06:50
4

Assuming you already know how to use filters with tshark, just supply the following display filter:

ssl.handshake.type == 1

If you want all ssl traffic, simply put ssl as the filter.

You cannot use these directly in the capture filters as the capture filtering mechanism doesn't know if the payload is ssl or not.

Alternatively, if you know what port the ssl traffic is going through, you can use a capture filter for that port, eg if the ssl traffic is going on port 443, use filter port 443

For more reading refer :

  1. More extensive list of ssl display filters here.

  2. How to capture ssl using capture filters

An example command for you to capture ssl traffic in a human readable format and put it in a file will be :

tshark -i <interface> -c <no. of packets to capture> -V -R "ssl" > capturefile.txt

Or using capture filters

tshark -i <interface> -c <no. of packets to capture> -V -f "port 443" > capturefile.txt

Also refer to the tshark man page for more details.

Akshet
  • 316
  • 1
  • 7