I. Love. Tcpdump. Once in a blue moon I'll boot up Wireshark, but it's pretty rare that there's a protocol question I need to answer that I can't answer faster with tcpdump -A.
If you're on a server that doesn't have an X environment set up for wireshark, you can use tcpdump to spit to a file:
-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''. See pcap-savefile(5) for a description of the file format.
--
You can then open this file in wireshark on your desktop for easier analysis if you wish.
Yeah, I do this all the time also with -s0 (saves all data traffic as well). You need some kind of filter because of all the traffic, but you can see everything afterwards. Easy to use wireshark to show TCP streams reconstructed: http://www.wireshark.org/docs/wsug_html_chunked/ChAdvFollowT... .
I use ssldump all the time; I don't think it's actively maintained, but it's not like it's broken. (The author of ssldump is one of the chairs of the TLS WG).
Last time I used it (quite a few months ago) it wasn't recognizing about half the fields in the SSL negotiation. It wasn't useless, but aside from its decryption-capabilities[1] wireshark had it beat because it could recognize and parse nearly all the fields.
[1] Wireshark might have that, but I haven't checked. I like to keep diversity in the tools I use.
