From the link you posted: tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)
This captures the SSL handshake (0x16), and the hello (0x01). Seems reasonable that you could delete the expression for hello and end up with: tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) Does this not work? > On Feb 25, 2016, at 6:08 PM, Michael Rasmussen <[email protected]> wrote: > > I have a group of systems that I need to monitor for use of approved SSL > cipher suites. > Wireshark is not available on them. tcpdump is the tool I need to use. > > Do you know, or know someone who would know, how to contruct a tcpdump filter > that matches > only packets for the SSL handshake? > > Due to the volume of traffic on the systems I cannot capture everything and > filter later. > > The most useful hint found so far is at: > http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter > > > > -- > Michael Rasmussen, Portland Oregon > Be Appropriate && Follow Your Curiosity > People play badly for various reasons; the most common one is failure > to judge what they currently produce as inadequate. > ~ Tony Pay (on a Clarinet discussion list) > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug -- Louis Kowolowski [email protected] Cryptomonkeys: http://www.cryptomonkeys.com/ Making life more interesting for people since 1977
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
