I need to filter out all SSL packets using tcpdump. I know that only the first packet can be recognized as being ssl. Is it possible to match against the first packet and then filter out the rest of the SSL stream?
You can filter a tcp stream in tcpdump too, this site explains how to use tcpdump in this way, I hope it helps: tcpdump.org/tcpdump_man.html
You will have to tweak it a bit, but it should work.
Also, there is a dedicated SSL_DUMP utility