More filtering can be performed, but this strictly answers your question. The value 22 (0x16 in hexadecimal) has been defined as being "Handshake" content.Īs a consequence, tcp & 0xf0) > 2)] = 0x16 captures every packet having the first byte after the TCP header set to 0x16. The first byte of a TLS packet define the content type. The offset, once multiplied by 4 gives the byte count of the TCP header, meaning ((tcp & 0xf0) > 2) provides the size of the TCP header. Tcp means capturing the 13th byte of the tcp packet, corresponding to first half being the offset, second half being reserved.
tcp & 0xf0) > 2)] = 0x16: a bit more tricky, let's detail this below. tcp port 443: I suppose this is the port your server is listening on, change it if you need. eth0: is my network interface, change it if you need. You can disable stateless offloads (ethtool -K on linux, ifconfig on bsd), but that will slow the entire system down.I don't know what exactly you are calling handshake, but I propose this command that will probably capture more than 95% of what you can want: tcpdump -ni eth0 "tcp port 443 and (tcp & 0xf0) > 2)] = 0x16)" This is due to GRO/LRO on receive, and TSO on transmit. And you may see gigantic (way larger than MTU) sized frames. Download Wireshark Now The worlds most popular network protocol analyzer Get started with Wireshark today and see why it is the standard across many commercial and non-profit enterprises. Because the BPF filters are applied between the network stack and the device driver, you may noticed tcpdump / wireshark complaining about bad checksums on transmit - this is likely due to checksum offload. To prevent this, use the -p option to prevent tcpdump from putting the NIC into promisc mode.Īnother issue with tcpdump on an endstation is caused by stateless offloads like checksum offload and offloads like TSO on the send side, and GRO / LRO on the receive side. At the very least, it can wreak havoc with steering filters on some NICs. 
On a physical NIC, this can be VERY expensive and may involve bouncing the link (behind your back) and dropping packets.
However, one of the worst things that tcpdump does is to put the NIC into promisc mode.
0 kommentar(er)
