使用 tcpdump 仅捕获 ssl 握手 [英] Capture only ssl handshake with tcpdump

问题描述

我有一个服务器，许多客户端使用 SSL 连接到该服务器.最近我观察到服务器日志中的 SSL 握手错误(例如 SSL MAC 错误).错误本身并不重要，但我想看看为什么有些客户端能够连接而其他客户端失败，并且还需要确定哪些客户端失败.

I have a server to which many clients connect using SSL. Recently I'm observing SSL handshake errors in the server logs (ex SSL MAC error). The error itself is not important, but I want to see why some clients are able to connect while others are failing, and also need to identify which clients are failing.

为了调试这个问题，我想捕获服务器上发生的所有 SSL 握手，因为我不知道有问题的客户端何时连接，所以我不想在发生这种情况之前捕获所有流量.我只想捕获所有 SSL 握手，然后用 Wireshark 分析它们.假设我只能访问 tcpdump 而没有其他工具进行捕获.

For debugging this issue, I want to capture all SSL handshakes happening at server and since I don't know when the problematic clients connect, I don't want to capture all the traffic till that happens. I just want to capture all the SSL handshakes and later analyze them with Wireshark. Assume that I only have access to tcpdump and no other tools for capturing.

推荐答案

我不知道你所说的握手究竟是什么，但我建议这个命令可能会捕捉到你想要的 95% 以上的内容:

I don't know what exactly you are calling handshake, but I propose this command that will probably capture more than 95% of what you can want:

>

Now what does it do:

现在它做了什么:

• eth0:是我的网络接口，如果需要可以更改
• tcp port 443:我想这是您的服务器正在侦听的端口，如果需要，请更改它
• tcp[((tcp[12] & 0xf0) >> 2)] = 0x16:有点棘手，让我们在下面详细说明

tcp[12] means capturing the 13th byte of the tcp packet, corresponding to first half being the offset, second half being reserved. The offset, once multiplied by 4 gives the byte count of the TCP header, meaning ((tcp[12] & 0xf0) >> 2) provides the size of the TCP header.

tcp[12] 表示捕获tcp包的第13个字节，对应的前半部分为偏移量，后半部分为保留.偏移量乘以 4 后给出 TCP 标头的字节数，这意味着 ((tcp[12] & 0xf0) >> 2) 提供 TCP 标头的大小.>

TLS 数据包的第一个字节定义了内容类型.值 22(十六进制为 0x16)已被定义为握手"内容.

The first byte of a TLS packet define the content type. The value 22 (0x16 in hexadecimal) has been defined as being "Handshake" content.

因此，tcp[((tcp[12] & 0xf0) >> 2)] = 0x16 捕获每个数据包的 TCP 标头设置为 0x16.

As a consequence, tcp[((tcp[12] & 0xf0) >> 2)] = 0x16 captures every packet having the first byte after the TCP header set to 0x16.

可以执行更多过滤，但这严格回答了您的问题.

More filtering can be performed, but this strictly answers your question.

这篇关于使用 tcpdump 仅捕获 ssl 握手的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！