How to Capture and Analyze SSL Handshake Packets Using Tshark for Debugging


17 views

When debugging SSL/TLS connection issues, capturing the handshake process is crucial. Tshark, the command-line version of Wireshark, is perfect for this task on headless servers. Here's how to effectively capture and interpret SSL handshakes.

Start with this basic command to capture SSL traffic on port 443:


tshark -i eth0 -f "tcp port 443" -w ssl_capture.pcap

To specifically capture the SSL handshake sequence:


tshark -i eth0 -Y "ssl.handshake" -w ssl_handshake.pcap

After capturing, generate a human-readable report:


tshark -r ssl_handshake.pcap -V -Y "ssl.handshake" > handshake_report.txt

Focus on these critical handshake components in your output:

  • ClientHello (supported cipher suites)
  • ServerHello (selected cipher suite)
  • Certificate messages
  • Finished messages

Here's how to check for cipher suite mismatches:


tshark -r ssl_handshake.pcap -Y "ssl.handshake.type == 1" -T fields -e ssl.handshake.ciphersuite

If you have the private key, add decryption:


tshark -r ssl_capture.pcap -o "ssl.keylog_file:keylog.txt" -Y "ssl"

Create a comprehensive report with timestamps and packet details:


tshark -r ssl_handshake.pcap -Y "ssl.handshake" -T fields -e frame.time -e ip.src -e ip.dst -e ssl.handshake.type -e ssl.handshake.extensions_server_name > vendor_report.txt
  • Protocol version mismatches (TLS 1.2 vs 1.3)
  • Certificate validation failures
  • SNI (Server Name Indication) problems
  • Cipher suite incompatibilities

For recurring problems, set up continuous capture with rotation:


tshark -i eth0 -b filesize:100000 -b files:10 -w ssl_rotation.pcap -f "tcp port 443"

To capture SSL/TLS handshake packets using TShark (the command-line version of Wireshark), use this basic command:

tshark -i eth0 -Y "ssl.handshake" -w ssl_handshake.pcap

This command:

  • Captures on interface eth0 (-i eth0)
  • Filters for SSL handshake packets (-Y "ssl.handshake")
  • Saves to a pcap file (-w ssl_handshake.pcap)

For better debugging, you might want to capture the complete SSL negotiation context:

tshark -i eth0 -Y "tcp.port == 443 && (ssl.handshake || ssl.alert)" -w ssl_full.pcap -V

The additional parameters:

  • Include SSL alerts which might indicate handshake failures
  • Use -V for verbose output showing packet details
  • Focus on standard HTTPS port 443

To convert the capture to human-readable text output:

tshark -r ssl_handshake.pcap -V -Y "ssl.handshake" > handshake_details.txt

Or for JSON output that's easier to parse programmatically:

tshark -r ssl_handshake.pcap -T json -Y "ssl.handshake" > handshake.json

You can filter for specific handshake phases when debugging:

# Client Hello
tshark -r ssl_handshake.pcap -Y "ssl.handshake.type == 1" -V

# Server Hello
tshark -r ssl_handshake.pcap -Y "ssl.handshake.type == 2" -V

# Certificate Message
tshark -r ssl_handshake.pcap -Y "ssl.handshake.type == 11" -V

Here's how to identify common handshake failures:

# Check for SSL alerts indicating problems
tshark -r ssl_handshake.pcap -Y "ssl.alert" -V

# Check cipher suite negotiation
tshark -r ssl_handshake.pcap -Y "ssl.handshake.ciphersuites" -V

# Check certificate validation
tshark -r ssl_handshake.pcap -Y "ssl.handshake.certificate" -V

When sending data to a vendor, include these key elements:

# Full handshake sequence
tshark -r ssl_handshake.pcap -Y "ssl.handshake" -V > handshake_sequence.txt

# Protocol version negotiation
tshark -r ssl_handshake.pcap -Y "ssl.record.version" -V > versions.txt

# Any error alerts
tshark -r ssl_handshake.pcap -Y "ssl.alert" -V > alerts.txt