ssldump – An SSL/TLS network protocol analyzer
ssldump has been tested on FreeBSD, Linux, Solaris, and HP/UX. Since it's based on PCAP, it should work on most platforms. However, unlike tcpdump, ssldump needs to be able to see both sides of the data transmission so you may have trouble using it with network taps such as SunOS nit that don't permit you to see transmitted data. Under SunOS with nit or bpf: To run tcpdump you must have read access to /dev/nit or /dev/bpf*. Under Solaris with dlpi: You must have read access to the network pseudo device, e.g. /dev/le. Under HP-UX with dlpi: You must be root or it must be installed setuid to root. Under IRIX with snoop: You must be root or it must be installed setuid to root. Under Linux: You must be root or it must be installed setuid to root. Under Ultrix and Digital UNIX: Once the super-user has enabled promiscuous-mode operation using pfconfig(8), any user may run ssldump Under BSD: You must have read access to /dev/bpf*.
ssldump [ -vtaTnsAxXhHVNdq ] [ -r dumpfile ] [ -i interface ] [ -k keyfile ] [ -p password ] [ expression ]
-a Print bare TCP ACKs (useful for observing Nagle behavior)
-A -- Print all record fields (by default ssldump chooses the most interesting fields)
-d -- Display the application data traffic. This usually means decrypting it, but when -d is used ssldump will also decode application data traffic _before_ the SSL session initiates. This allows you to see HTTPS CONNECT behavior as well as SMTP STARTTLS. As a side effect, since ssldump can't tell whether plaintext is traffic before the initiation of an SSL connection or just a regular TCP connection, this allows you to use ssldump to sniff any TCP connection. ssldump will automatically detect ASCII data and display it directly to the screen. non-ASCII data is displayed as hex dumps. See also -X.
-e -- Print absolute timestamps instead of relative timestamps
-r -- Read data from file instead of from the network. The old -f option still works but is deprecated and will probably be removed with the next version. -H Print the full SSL packet header.
-k -- Use keyfile as the location of the SSL keyfile (OpenSSL format) Previous versions of ssldump automatically looked in ./server.pem. Now you must specify your keyfile every time.
-n -- Don't try to resolve host names from IP addresses
-N -- Attempt to parse ASN.1 when it appears, such as in certificates and DNs.
-p -- Use password as the SSL keyfile password.
-P -- Don't put the interface into promiscuous mode.
-q -- Don't decode any record fields beyond a single summary line. (quiet mode).
-x -- Print each record in hex, as well as decoding it.
-X -- When the -d option is used, binary data is automatically printed in two columns with a hex dump on the left and the printable characters on the right. -X suppresses the display of the printable characters, thus making it easier to cut and paste the hext data into some other program. -y Decorate the output for processing with troff. Not very useful for the average user.
expression -- Selects what packets ssldump will examine. Technically speaking, ssldump supports the full expression syntax from PCAP and tcpdump. In fact, the description here is cribbed from the tcpdump man page. However, since ssldump needs to examine full TCP streams, most of the tcpdump expressions will select traffic mixes that ssldump will simply ignore.
To listen to traffic on interface le0 port 443
ssldump -i le0 port 443
To listen to traffic to the server romeo on port 443.
ssldump -i le0 port 443 and host romeo
To decrypt traffic to to host romeo server.pem and the password foobar
ssldump -Ad -k ~/server.pem -p foobar -i le0 host romeo