Without decrypting, what portion of an HTTPS session is visible with a packet capture?

When analyzing HTTPS traffic using tools like tcpdump without access to the SSL private keys for decryption, only the Layer 2 through Layer 4 information remains visible.

Visible Information: You can see the Source and Destination IP addresses, TCP ports, and the TLS handshake headers (such as the Server Name Indication/SNI in the Client Hello).

Encrypted Information: Once the encrypted tunnel is established, all Layer 7 data is masked. This includes HTTP Request/Response Headers (Option A and D) and Cookies (Option C).

Troubleshooting Note: To see the headers or cookies, an administrator must either perform the packet capture on the "server-side" of the BIG-IP (if it is performing SSL Offload) or use a tool like Wireshark with the appropriate SSL keys loaded.