tcpdump and how to capture SSL handshake with it

By Srikanth
6 Min Read
SSL Certificate

Linux is an operating system the work with which is primarily associated with using a rich command-line interface. So, when you rent virtual linux server and are going to administer it on your own, it’s essential to master numerous essential command line tools.

Advertisement

The one which we are going to throw light on today is tcpdump, a powerful command-line packet analyzer. Let’s see what this is and what you can do with it to capture an SSL handshake.

Why capture SSL handshake with tcpdump?

Before jumping straight into the guide on capturing SSL handshake with tcpdump, let’s, what can do with this feature.

  1. Troubleshooting connection issues:

If you have encountered connection issues between a client and a server over HTTPS, capturing the SSL handshake can give you valuable insights into what’s the matter. After examining the handshake packets, you’ll be able to figure out some details about protocol versions, supported cipher suites, and any errors that occurred during the handshake.

  1. Security analysis:

By analyzing the SSL handshake, you will be able to discover some valuable data on the security of the communication. In particular, you will be able to check the cryptographic algorithms and exchange mechanisms involved. After this expertise, you can assess whether the connection adheres to the security standards or if there is space for improvement.

  1. Certificate validation: When inspecting the SSL handshake, you’ll be able to study, which digital certificates are exchanged during the handshake. Upon this inspection you’ll be able, on the one hand, to verify the authenticity of the certificates, and, on the other hand, to ensure that the public key infrastructure (PKI) is correctly configured.
  2. Debugging SSL/TLS Configurations:

SSL/TLS’s main goal is to ensure the security of web applications. By capturing an SSL handshake, you’ll be able to see what can be improved about the SSL/TLS configuration on web servers and identify various issues, particularly those related to certificate chains, cipher suite configurations, and others.

  1. Monitoring for security threats:

Capturing SSL can be an essential approach in the security monitoring context when it comes to detecting potential security threats as well as suspicious activities. In particular, you have a chance to identify unauthorized or malicious SSL/TLS connections.

  1. Forensic analysis:

If there has been an issue, capturing an SSL handshake may help you reconstruct what actually did happen and the chronology of events in the network communication. With this information, mitigating an incident and eventually taking steps to improve your security and omit the repetition of the incident may end up being much easier.

Capturing SSL handshake with tcpdump 

tcpdump, as mentioned, is a powerful command-line packet analyzer that allows you to capture and analyze network traffic on a Unix or Unix-like system. One of its primary functions is to capture and inspect data packets when they pass through a network interface.

One important point to keep in mind is that you have to make sure that the traffic reaching tcpdump must reach in a non-encrypted form. This means that you either have to capture it before it reaches tcpdump or use a method to decrypt it. 

Here is a guide on a general approach to how to capture an SSL handshake:

  1. Install tcpdump:

Use the appropriate command to install tcpdump depending on your operating system:

Debian-based systems (e.g., Ubuntu):

sudo apt-get update

sudo apt-get install tcpdump

Red Hat-based systems (e.g., CentOS, Fedora):

sudo yum install tcpdump

macOS:

brew install tcpdump

  1. Capture traffic:

Run tcpdump to capture network traffic on the desired interface. E. g.:

sudo tcpdump -i eth0 -w capture.pcap

Where eth0 is to be replaced with the name of your network interface.

  1. Filter for SSL handshake:

For now, the traffic is encrypted and there isn’t much you can learn from it. First, it’s worth filtering packets that are related to the SSL handshake. You can use a display filter like:

sudo tcpdump -r capture.pcap -A -nn ‘tcp and (port 443 or port 8443)’

This particular example will filter for TCP traffic either on 443 or on port 8443. Make sure to adjust the ports according to your application’s program configuration.

  1. Decrypt SSL/TLS traffic (optional):

Now if you need, and if you can access the SSL/TLS keys, you can use a special tool to decrypt it (Wireshark, for example), which uses SSL/TLS keys to decrypt the traffic after it has been captured. To export keys, you should open Wireshark and go to “Edit” -> “Preferences” -> “Protocols” -> “SSL”  and provide the necessary SSL keys for decryption.

To sum up

tcpdump is a valuable tool that can be used to capture SSL handshake. The information contained in it, if analyzed properly, can be used to extract various insights on the SSL/TLS configuration and help you understand what steps can be taken to elevate your security of connection. We hope that the information provided was helpful, stay tuned!

Share This Article
Passionate Tech Blogger on Emerging Technologies, which brings revolutionary changes to the People life.., Interested to explore latest Gadgets, Saas Programs
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *