"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "ssldump.1" between
ssldump-0.9b3.tar.gz and ssldump-1.3.tar.gz

About: ssldump is an SSLv3/TLS network protocol analyzer.

ssldump.1  (ssldump-0.9b3):ssldump.1  (ssldump-1.3)
SSLDUMP(1) General Commands Manual SSLDUMP(1) SSLDUMP(1) General Commands Manual SSLDUMP(1)
NAME NAME
ssldump - dump SSL traffic on a network ssldump - dump SSL traffic on a network
SYNOPSIS SYNOPSIS
ssldump [ -vtaTnsAxXhHVNdq ] [ -r dumpfile ] [ -i interface ] ssldump [ -aAdeFHjnNPqtTvxXy ] [ -i interface ]
[ -k keyfile ] [ -p password ] [ expression ] [ -k keyfile ] [ -l sslkeylogfile ] [ -p password ] [ -r dumpfile
] [ -w outputpcap ]
[ -S [crypto|d|ht|H|nroff] ] [ expression ]
DESCRIPTION DESCRIPTION
ssldump is an SSL/TLS network protocol analyzer. It identifies TCP c onnections on the chosen network ssldump is an SSL/TLS network protocol analyzer. It identifies TCP c onnections on the chosen network
interface and attempts to interpret them as SSL/TLS traffic. When it i dentifies SSL/TLS traffic, it interface and attempts to interpret them as SSL/TLS traffic. When it i dentifies SSL/TLS traffic, it
decodes the records and displays them in a textual form to stdout. If pr ovided with the appropriate key- decodes the records and displays them in a textual form to stdout. If pr ovided with the appropriate key-
ing material, it will also decrypt the connections and display the applic ation data traffic. ing material, it will also decrypt the connections and display the applic ation data traffic.
ssldump has been tested on FreeBSD, Linux, Solaris, and HP/UX. Since it' s based on PCAP, it should work ssldump has been tested on FreeBSD, Linux, Solaris, and HP/UX. Since it' s based on PCAP, it should work
on most platforms. However, unlike tcpdump, ssldump needs to be able to s ee both sides of the data trans- on most platforms. However, unlike tcpdump, ssldump needs to be able to s ee both sides of the data trans-
mission so you may have trouble using it with network taps such as SunOS nit that don't permit you to see mission so you may have trouble using it with network taps such as SunOS nit that don't permit you to see
transmitted data. Under SunOS with nit or bpf: To run tcpdump you must have read access to /dev/nit or transmitted data. Under SunOS with nit or bpf: To run ssldump you must have read access to /dev/nit or
/dev/bpf*. Under Solaris with dlpi: You must have read access to the network pseudo device, e.g. /dev/bpf*. Under Solaris with dlpi: You must have read access to the network pseudo device, e.g.
/dev/le. Under HP-UX with dlpi: You must be root or it must be insta lled setuid to root. Under IRIX /dev/le. Under HP-UX with dlpi: You must be root or it must be insta lled setuid to root. Under IRIX
with snoop: You must be root or it must be installed setuid to root. Und er Linux: You must be root or it with snoop: You must be root or it must be installed setuid to root. Und er Linux: You must be root or it
must be installed setuid to root. Under Ultrix and Digital UNIX: Once th e super-user has enabled promis- must be installed setuid to root. Under Ultrix and Digital UNIX: Once th e super-user has enabled promis-
cuous-mode operation using pfconfig(8), any user may run ssldump Under BS D: You must have read access to cuous-mode operation using pfconfig(8), any user may run ssldump Under BS D: You must have read access to
/dev/bpf*. /dev/bpf*.
OPTIONS OPTIONS
-a Print bare TCP ACKs (useful for observing Nagle behavior) -a Print bare TCP ACKs (useful for observing Nagle behavior).
-A Print all record fields (by default ssldump chooses the most inter esting fields) -A Print all record fields (by default ssldump chooses the most inter esting fields).
-d Display the application data traffic. This usually means de crypting it, but when -d is used -d Display the application data traffic. This usually means de crypting it, but when -d is used
ssldump will also decode application data traffic _before_ the SSL session initiates. This allows ssldump will also decode application data traffic before the SSL s ession initiates. This allows
you to see HTTPS CONNECT behavior as well as SMTP STARTTLS. As a side effect, since ssldump can't you to see HTTPS CONNECT behavior as well as SMTP STARTTLS. As a side effect, since ssldump can't
tell whether plaintext is traffic before the initiation of an SSL connection or just a regular TCP tell whether plaintext is traffic before the initiation of an SSL connection or just a regular TCP
connection, this allows you to use ssldump to sniff any TCP con nection. ssldump will automati- connection, this allows you to use ssldump to sniff any TCP con nection. ssldump will automati-
cally detect ASCII data and display it directly to the screen. non -ASCII data is displayed as hex cally detect ASCII data and display it directly to the screen. non -ASCII data is displayed as hex
dumps. See also -X. dumps. See also -X.
-e Print absolute timestamps instead of relative timestamps -e Print absolute timestamps instead of relative timestamps.
-r Read data from file instead of from the network. The old -f opti -F Specify the number of packets after which a connection pool cl
on still works but is deprecated eaning is performed (in packets,
and will probably be removed with the next version. -H Print the default: 100).
full SSL packet header.
-k Use keyfile as the location of the SSL keyfile (OpenSSL format) Pr -H Print the full SSL packet header.
evious versions of ssldump auto-
-i interface
Use interface as the network interface on which to sniff SSL/TLS t
raffic.
-j Switch output format to JSON. Only stdout is affected by this togg
le.
-k keyfile
Use keyfile as the location of the SSL keyfile (OpenSSL format) Pr
evious versions of ssldump auto-
matically looked in ./server.pem. Now you must specify your keyfi le every time. matically looked in ./server.pem. Now you must specify your keyfi le every time.
-n Don't try to resolve host names from IP addresses -l sslkeylogfile
Use sslkeylogfile as the location of the SSLKEYLOGFILE (h
ttps://developer.mozilla.org/en-
US/docs/Mozilla/Projects/NSS/Key_Log_Format).
-n Don't try to resolve host names from IP addresses.
-N Attempt to parse ASN.1 when it appears, such as in certificates an d DNs. -N Attempt to parse ASN.1 when it appears, such as in certificates an d DNs.
-p Use password as the SSL keyfile password. -p password
Use password as the SSL keyfile password.
-P Don't put the interface into promiscuous mode. -P Don't put the interface into promiscuous mode.
-q Don't decode any record fields beyond a single summary line. (quie t mode). -q Don't decode any record fields beyond a single summary line. (quie t mode).
-r file
Read data from file instead of from the network. The old -f optio
n still works but is deprecated
and will probably be removed with the next version.
-S [ crypto | d | ht | H ]
Specify SSL flags to ssldump. These flags include:
crypto Print cryptographic information.
d Print fields as decoded.
ht Print the handshake type.
H Print handshake type and highlights.
-t Specify the TTL for inactive connections referenced in the conne
ction pool (in seconds, default:
100).
-T Print the TCP headers.
-v Display version and copyright information.
-w outputpcap
Use outputpcap as the destination for decrypted packets.
-x Print each record in hex, as well as decoding it. -x Print each record in hex, as well as decoding it.
-X When the -d option is used, binary data is automatically printed i n two columns with a hex dump on -X When the -d option is used, binary data is automatically printed i n two columns with a hex dump on
the left and the printable characters on the right. -X suppresses the left and the printable characters on the right. -X suppres
the display of the printable ses the display of the printable
characters, thus making it easier to cut and paste the hext data i characters, thus making it easier to cut and paste the hex data in
nto some other program. -y Dec- to some other program.
orate the output for processing with troff. Not very useful for th
e average user.
expression -y Decorate the output for processing with nroff/troff. Not very usef
ul for the average user.
expression
Selects what packets ssldump will examine. Technically speaking, s sldump supports the full expres- Selects what packets ssldump will examine. Technically speaking, s sldump supports the full expres-
sion syntax from PCAP and tcpdump. In fact, the description here is cribbed from the tcpdump man sion syntax from PCAP and tcpdump. In fact, the description here is cribbed from the tcpdump man
page. However, since ssldump needs to examine full TCP streams, mo st of the tcpdump expressions page. However, since ssldump needs to examine full TCP streams, mo st of the tcpdump expressions
will select traffic mixes that ssldump will simply ignore. Only th e expressions which don't result will select traffic mixes that ssldump will simply ignore. Only th e expressions which don't result
in incomplete TCP streams are listed here. in incomplete TCP streams are listed here.
The expression consists of one or more primitives. Primitives usu ally consist of an id (name or The expression consists of one or more primitives. Primitives usu ally consist of an id (name or
number) preceded by one or more qualifiers. There are three diffe rent kinds of qualifier: number) preceded by one or more qualifiers. There are three diffe rent kinds of qualifier:
type qualifiers say what kind of thing the id name or numbe r refers to. Possible types are type qualifiers say what kind of thing the id name or numbe r refers to. Possible types are
skipping to change at line 189 skipping to change at line 229
not host vs and host ace not host vs and host ace
which should not be confused with which should not be confused with
not ( host vs or ace ) not ( host vs or ace )
Expression arguments can be passed to ssldump as either a sing le argument or as multiple argu- Expression arguments can be passed to ssldump as either a sing le argument or as multiple argu-
ments, whichever is more convenient. Generally, if the expression contains Shell metacharacters, ments, whichever is more convenient. Generally, if the expression contains Shell metacharacters,
it is easier to pass it as a single, quoted argument. Multiple arguments are concatenated with it is easier to pass it as a single, quoted argument. Multiple arguments are concatenated with
spaces before being parsed. spaces before being parsed.
EXAMPLES EXAMPLES
To listen to traffic on interface le0 port 443 To listen to traffic on interface le0 port 443:
ssldump -i le0 port 443 ssldump -i le0 port 443
To listen to traffic to the server romeo on port 443. To listen to traffic to the server romeo on port 443:
ssldump -i le0 port 443 and host romeo ssldump -i le0 port 443 and host romeo:
To switch output format to JSON:
ssldump -ANH -j -i le0 port 443 and host romeo
To decrypt traffic to to host romeo server.pem and the password foobar To decrypt traffic to host romeo server.pem and the password foobar:
ssldump -Ad -k ~/server.pem -p foobar -i le0 host romeo ssldump -Ad -k ~/server.pem -p foobar -i le0 host romeo
OUTPUT FORMAT OUTPUT FORMAT
All output is printed to standard out. All output is printed to standard out.
ssldump prints an indication of every new TCP connection using a line lik e the following ssldump prints an indication of every new TCP connection using a line lik e the following
New TCP connection #2: iromeo.rtfm.com(2302) <-> sr1.rtfm.com(4433) New TCP connection #2: iromeo.rtfm.com(2302) <-> sr1.rtfm.com(4433)
The host which send the first SYN is printed on the left and the host whi ch responded is printed on the The host which send the first SYN is printed on the left and the host whi ch responded is printed on the
skipping to change at line 273 skipping to change at line 316
The TCP reassembler is not perfect. No attempt is made to reassemble IP f ragments and the 3-way handshake The TCP reassembler is not perfect. No attempt is made to reassemble IP f ragments and the 3-way handshake
and close handshake are imperfectly implemented. In practice, this turns out not to be much of a problem. and close handshake are imperfectly implemented. In practice, this turns out not to be much of a problem.
Support is provided for only for Ethernet and loopback interfaces because that's all that I have. If you Support is provided for only for Ethernet and loopback interfaces because that's all that I have. If you
have another kind of network you will need to modify pcap_cb in base/ pcap-snoop.c. If you have direct have another kind of network you will need to modify pcap_cb in base/ pcap-snoop.c. If you have direct
experience with ssldump on other networks, please send me patches. experience with ssldump on other networks, please send me patches.
ssldump doesn't implement session caching and therefore can't decrypt res umed sessions. ssldump doesn't implement session caching and therefore can't decrypt res umed sessions.
28 September 2001 SEE ALSO
SSLDUMP(1) tcpdump(1)
AUTHOR
ssldump was originally written by Eric Rescorla <ekr@rtfm.com>. Maintaine
d by a bunch of volunteers, see
https://github.com/adulau/ssldump/blob/master/CREDITS - Copyright (C) 201
5-2021 the aforementioned volun-
teers
2nd February 2021 - version 1.3
SSLDUMP(1)
 End of changes. 17 change blocks. 
26 lines changed or deleted 74 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)