find sslv3 in you trafic


This filter will only capture the frame sslv3 handshake.

We need find 0x0300 handshake

tshark/wireshark

display filters: ssl.handshake.version==0x0300

Tcpdump


tcpdump -i eth24 'tcp[((tcp[12]>>4)*4)+9:2]=0x0300'

How to check this methods , open sslv3 page but webbroser blocking usage sslv3 so we can use opessl linux tool

openssl s_client -ssl3 -connect poodle.securityview.com:443

source:

https://isc.sans.edu/diary/POODLE%2BTurning%2Boff%2BSSLv3%2Bfor%2Bvarious%2Bservers%2Band%2Bclient/18837
https://www.wains.be/pub/networking/tcpdump_advanced_filters.txt
https://danielmiessler.com/study/tcpdump/#gs.uHcB10o

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s