Ι am using the below filter to capture all outgoing HTTPS traffic.
tcpdump "port 443 and src host 192.168.0.4"
13:43:54.343747 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671898, win 0, length 0 13:43:54.343843 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671899, win 0, length 0 13:43:54.343887 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671898, win 0, length 0 13:43:54.343931 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671898, win 0, length 0
How is tcpdump getting the hostname(stackoverflow.com.https) details,if it only sniffs into the tcp layer??
If you run tcpdump without specifying the -n option, it will perform a reverse DNS lookup for every IP address within the capture file as it displays those packets.
Generally, when using this tool for analysis, it is preferred to specify the -n option, which will dramatically increase the overall performance of the tool since it will no longer be generating lots of DNS lookups.