TCPDUMP Filters
TCPDUMP Filters
A tcpdump(8) filter to capture all packets that are # SSLv2, SSLv3, or TLS < 1.2
Assuming that all has been copied in a sile named ‘sslfilter’ Only the last line is useful, all the comments are only for understanding.
sudo tcpdump "$(grep -v '^#' sslfilter)"
or
tcpdump -i vmx0 -s 1500 "`grep -v '^#' sslfilter`" -nnXSs0 -ttt
# A tcpdump(8) filter to capture all packets that are
# SSLv2, SSLv3, or TLS < 1.2, created by @jschauma.
#
# See
# https://www.netmeister.org/blog/tcpdump-ssl-and-tls.html
# for details.
#
# sudo tcpdump "$(grep -v '^#' sslfilter)"
# tcpdump -i vmx0 -s 1500 "`grep -v '^#' sslfilter`" -nnXSs0 -ttt
#
# See
# https://www.netmeister.org/blog/tcpdump-ssl-and-tls.html
# for a longer description.
#
# The first nibble of the 13th byte * 4 is the size of the TCP header.
# tcp[12] & 0xf0 >> 2
#
# The first byte of the TLS Record indicates the record type:
# 0x14 Change Cipher Spec
# 0x15 Encrypted Alert
# 0x16 Handshake
# 0x17 Application Data
#
# If we're talking SSLv2, the first couple of bytes
# are the length followed by the type of the message,
# followed by the SSL version number (i.e., fourth and
# fifth byte are 0x00 and 0x02 respectively).
#
# If we're talking SSLv3 or TLS, then:
# The first byte is 0x14 for change cipher spec.
# The first byte is 0x15 for encrypt alert.
# The first byte is 0x16 for handshake.
# The first byte is 0x17 for application data.
#
# The second and third byte denote the version; second
# byte should be 0x03 (SSLv3 / TLS).
# The third byte is 0x01 for TLS 1.0.
# The third byte is 0x02 for TLS 1.1.
# The third byte is 0x03 for TLS 1.2.
# The third byte is 0x04 for TLS 1.3.
#
# So, to capture all packets that are SSLv2, SSLv3, or
# TLS < 1.2:
#
# - if first byte is 0x14, 0x15, 0x16 AND the next
# byte is 0x03, then we're talking TLS, but are not
# in the handshake. The TLS version is then
# determined by the third byte
#
# (((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) ||
# (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) ||
# (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) &&
# (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03) &&
# (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03)))
#
# - if first byte is 0x16 AND the next byte is 0x03,
# we are in the TLS handshake; the record layer
# handshake version will be 0x0301, but the actual
# TLS version will be found in handshake protocol
# record, which starts at byte 6, where we find one
# byte indiciating the handshake type, three bytes
# length, and two bytes again describing the TLS
# version as above (byte 10 = 0x03, byte 11 = 0x03
# for TLS 1.2 etc.)
#
# ((tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) &&
# (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03) &&
# (tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) &&
# (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03))
#
# - finally, SSLv2: we exclude the valid TLS packets,
# then check for 0x0002:
#
# (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) ||
# (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) &&
# (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) &&
# (tcp[((tcp[12] & 0xf0) >> 2)+4] = 0x02))
(((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03 && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03))) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] = 0x02))