Monitor and log tls version info and domains

I have a linksys wireless router that I have install openwrt on.
I am trying to see what security grade overall my home network has and how many of my connections are http and how many are https (just start of connections not the actual data) and also see which connections are with bad tls parameters (tls1.0 and the weak Cipher Suites)

this is not for spying porpuses .
and I dont want to have the payload of https (or even http)/
just the metadata (oh god that sounded so much NSA-y) .

is this possible with a tcpdump? can someone with some experience point me to the right direction?

tcpdump cant reconstruct connection stream (like wireshark) so that and the tls handshake I can relate later tls version agreed to that handshake?

LOL, yea it did! :laughing:

  • First, HTTP is in the clear, you could search for the GET or something like that
  • Second for HTTPS, I think enough of the handshake you desire is in the clear...

So both should be possible. You should be able to see this traffic running tcpdump now.

Actually, tcpdump is the "CLI version" of can even save PCAP files for viewing in Wireshark. :wink:

no I mean can tcpdump understand tls handshake chains?
I dont think it does.
I think tcpdump only has live mode(as in it doesnt care about the before or after packages it only save and filters packages as they come and cant understand the relationships between them.
but wireshark actually makes connections between packages so you can see that a package is the second step in tls handshake. and for this it has to have all the active data in RAM(or use it somehow). unlike tcpdump that just act on the packages as the pass through.

because If I get it right tcpdump just captures ip pacakages separately and doesn't care and doesn't understand that, for example a ip package was the third step in the tls handshake and not the first. and for that I either need to save all the traffic with tcpdump and run and analyzer on it or find a way to have a window and packages (say 10 or 20 on the safe side) and then somehow analyze that in live mode(extract the info live and save them with gnu programs like sed and grep and so on).

after a lot of thinking I think my best bet is to use tcpdump to send traffic to my odroid (always on via lan) and use wireshark cli on there.

like this:

Perhaps I'm lost at what you want to succeeded at.

Filtering for HTTP and HTTPS what you're looking for can be done in both tcpdump and Wireshark and you can see the results live.

What issues are you having simply running the tcpdump command to see what you desire?

Understand what???

Are you trying to run some plugin, module sniff or perform some Layer 7 function on the packet???

I understand you just wanted the "metadata".


I don't think you're describing simply using Wireshark/tcpdump to see HTTP and HTTPS handshakes anymore...or you're just making clear that you can't hit "Save" on the command line after you execute it (saving to file has to be explicitly stated prior to running it) well as any "filtering".


OK...passing it to Wireshark over the network works too...if you just prefer a GUI.

what I mean is this:
If I run tcpdump I cant tell it to find a tls handshake AND find that related to (say) 5 packages later that has teh second part of handshake.
if you watch wireshark you see that a lot of other packages come through between an stream of tls handshake.
so saving a tls handshake with tcpdump is NOT as easy as saying ,when found a start of tls then save till 5 package later.

I dont know how to say more clearly.

BTW thanks you for the answers.

1 Like

tcpdump -vvvvn -i eth0.2 dst port 80 -s 65535 -w <file> | grep 'Referer:' -A 4 -B 7

That will display the HTTP and save only those to PCAP.

I think I understand your HTTPS issue now...I don't think there's any clear text passed for tcpdump to see or that is shown using -vvvv that I tested for you (hence your need for the Wireshark GUI).


my mistake was mixing http and https.
yes http is easy for checking that info because it doesn't actually has a chain of packages(http packages are also stateless too). so the http as you said is easy to do.

the main part of the issue is the https (tls handshake) part.

I think I try the tcpdump(on openwrt) ---> wireshark (on odroid).

1 Like

tls has to use sni for domains which is still in clear.(sni encryption is proposed but not don eyet)