Can Wireshark capture TLS handshake?

Can Wireshark capture TLS handshake?

This is a discussion on ? within the Networking/Device Drivers/IoT»s forums, part of the Advanced Linux Programming forums. I've been running wireshark and it seems to only show the SYN .

I've been running wireshark and it seems to only show the SYN and ACK packets from the client to the server. Is there any way to capture the entire TLS handshake? If so, how can I go about doing this? I'm running linux mint 17.

Re: Can Wireshark capture TLS handshake? This is an interesting problem as TLS has very long and complex handshake sequence. AFAIK Wireshark should be able to capture and decode most parts of TLS handshakes (provided there's a compatible library in libpcap).

If you don't see the handshake you might want to use tcpdump or sntpcap instead to capture packet. But this will require you to do a more work than capturing by Wireshark.

EDIT: And just to clarify what Wireshark is capable of (thanks to @Rarz): tcpdump captures tcp traffic, while Wireshark captures ethernet traffic. If your packets are not ethernet (eg vlan tagged) you will have to switch the capture from tcpdump to sntpcap, or capture the vlan packets separately.

Well, I was just messing with wireshark again. I have no clue how to run tcpdump or sntpcap so I started reading the man pages. Turns out there's a -b option for tcpdump that will do a layer 2 capture. I'll give that a try.

How do I filter TCP handshake in Wireshark?

I have an example of a TCP connection and I can see that it is establishing handshake. However, I cannot see the TCP packets which are exchanged during handshake phase. For example I need to filter on the following TCP packets in Wireshark:
Client - SYN-ACK - ACK-ACK - FIN-ACK. I have read in Wireshark documentation that I should use protocol 0x0400 (tcphandshake), however I was not able to find any examples of how to do this. Could anyone help me out with this? The Wireshark docs don't explicitly cover it, but it's not hard to figure out. To filter for the client side of a TCP handshake, you need to use the filter: ip.addr == "192.168.104"