I don't believe there's an easy solution to that task.
Taken from IETF.
RFC 2246 The TLS Protocol Version 1.0 January
1999
receiving party may decide at its discretion whether to treat this
as a fatal error or not. However, all messages which are
transmitted with a level of fatal must be treated as fatal
messages.
7.3. Handshake Protocol overview
The cryptographic parameters of the session state are produced by
the TLS Handshake Protocol, which operates on top of the TLS Record
Layer. When a TLS client and server first start communicating, they
agree on a protocol version, select cryptographic algorithms,
optionally authenticate each other, and use public-key encryption
techniques to generate shared secrets.
The TLS Handshake Protocol involves the following steps:
Exchange hello messages to agree on algorithms, exchange random
values, and check for session resumption.
Exchange the necessary cryptographic parameters to allow the
client and server to agree on a premaster secret.
Exchange certificates and cryptographic information to allow the
client and server to authenticate themselves.
Generate a master secret from the premaster secret and exchanged
random values.
Provide security parameters to the record layer.
Allow the client and server to verify that their peer has
calculated the same security parameters and that the handshake
occurred without tampering by an attacker.
Therefore you should sniff the handshake message, determine it's format and conclude to whether the client attempted to use TLS.
Another helpful link.
An SO old post.