Capture Only Ssl Handshake With Tcpdump
Answer : I don't know what exactly you are calling handshake, but I propose this command that will probably capture more than 95% of what you can want: tcpdump -ni eth0 "tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)" Now what does it do: eth0 : is my network interface, change it if you need tcp port 443 : I suppose this is the port your server is listening on, change it if you need tcp[((tcp[12] & 0xf0) >> 2)] = 0x16 : a bit more tricky, let's detail this below tcp[12] means capturing the 13th byte of the tcp packet, corresponding to first half being the offset, second half being reserved. The offset, once multiplied by 4 gives the byte count of the TCP header, meaning ((tcp[12] & 0xf0) >> 2) provides the size of the TCP header. The first byte of a TLS packet define the content type. The value 22 (0x16 in hexadecimal) has been defined as being "Handshake" content. As a consequence, tcp[((tcp[12] ...