Ssl – Sniff SSL handshake using tshark

packet-snifferssltshark

How do I get a dump of a SSL handshake in a human readable format using tshark? I need to provide this to a vendor for debugging a failed SSL handshake problem.

This needs to be done in tshark, not wireshark as it's being done on a remote server with no GUI.

Best Answer

Like this.

tshark -nn -i <interface> -s 0 -w mycapture.pcap <hostname> and port <portnumber>

Replace <interface> with the interface name to capture on (e.g., eth0). Replace <hostname> with the name or IP address of the remote host you want to capture packets for. Replace <portnumber> with the port the service is running on (probably 443).

You can also use tcpdump instead. Both Wireshark and tcpdump use libpcap for capturing, so you'll capture the exact same information. You can also copy the resulting file and open it in Wireshark on a different computer.

The command line flags for tcpdump and tshark are close enough that in most cases they can be used interchangeably.

Related Solutions

How to force a date/time format for traffic captured with tshark using “-T fields”

At this moment, it is not possible to do what I wanted.

There is a enhancement request posted at Wireshark Bug Database for this feature.

#10220 - add ISO 8601 date format option to tshark -T fields (FT_ABSOLUTE_TIME type fields)

Nginx – How to Troubleshoot Nginx SSL Handshake failure

As @Paul said, the solution was to raise the log level. I changed a line in my nginx.conf file, so it now reads as follows:

error_log  /var/log/nginx/error.log debug;

And now that the log level is higher, it logs ssl handshake errors:

2016/09/19 22:38:08 [info] 10114#10114: *2 SSL_do_handshake() failed (SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher) while SSL handshaking, client: 108.162.242.24, server: 0.0.0.0:443

Best Answer

Related Solutions

How to force a date/time format for traffic captured with tshark using “-T fields”

Nginx – How to Troubleshoot Nginx SSL Handshake failure

Related Topic