Linux Mint - Free and powerful

Friday, 13 February 2015

ssldump – An SSL/TLS network protocol analyzer | Ubuntu Geek

ssldump – An SSL/TLS network protocol analyzer | Ubuntu Geek:

'via Blog this'

ssldump – An SSL/TLS network protocol analyzer

Sponsored Link
ssldump is an SSL/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSL/TLS traffic. When it identifies SSL/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.

ssldump has been tested on FreeBSD, Linux, Solaris, and HP/UX. Since it's based on PCAP, it should work on most platforms. However, unlike tcpdump, ssldump needs to be able to see both sides of the datatransmission so you may have trouble using it with network taps such as SunOS nit that don't permit you to see transmitted data. Under SunOS with nit or bpf: To run tcpdump you must have read access to /dev/nit or /dev/bpf*. Under Solaris with dlpi: You must have read access to the network pseudo device, e.g. /dev/le. Under HP-UX with dlpi: You must be root or it must be installed setuid to root. Under IRIX with snoop: You must be root or it must be installed setuid to root. Under Linux: You must be root or it must be installed setuid to root. Under Ultrix and Digital UNIX: Once the super-user has enabled promiscuous-mode operation using pfconfig(8), any user may run ssldump Under BSD: You must have read access to /dev/bpf*.
SSLdump Syntax
ssldump [ -vtaTnsAxXhHVNdq ] [ -r dumpfile ] [ -i interface ] [ -k keyfile ] [ -p password ] [ expression ]
Option Details
-a Print bare TCP ACKs (useful for observing Nagle behavior)
-A -- Print all record fields (by default ssldump chooses the most interesting fields)
-d -- Display the application data traffic. This usually means decrypting it, but when -d is used ssldump will also decode application data traffic _before_ the SSL session initiates. This allows you to see HTTPS CONNECT behavior as well as SMTP STARTTLS. As a side effect, since ssldump can't tell whether plaintext is traffic before the initiation of an SSL connection or just a regular TCP connection, this allows you to use ssldump to sniff any TCP connection. ssldump will automatically detect ASCII data and display it directly to the screen. non-ASCII data is displayed as hex dumps. See also -X.
-e -- Print absolute timestamps instead of relative timestamps
-r -- Read data from file instead of from the network. The old -f option still works but is deprecated and will probably be removed with the next version. -H Print the full SSL packet header.
-k -- Use keyfile as the location of the SSL keyfile (OpenSSL format) Previous versions of ssldump automatically looked in ./server.pem. Now you must specify your keyfile every time.
-n -- Don't try to resolve host names from IP addresses
-N -- Attempt to parse ASN.1 when it appears, such as in certificates and DNs.
-p -- Use password as the SSL keyfile password.
-P -- Don't put the interface into promiscuous mode.
-q -- Don't decode any record fields beyond a single summary line. (quiet mode).
-x -- Print each record in hex, as well as decoding it.
-X -- When the -d option is used, binary data is automatically printed in two columns with a hex dump on the left and the printable characters on the right. -X suppresses the display of the printable characters, thus making it easier to cut and paste the hext data into some other program. -y Decorate the output for processing with troff. Not very useful for the average user.
expression -- Selects what packets ssldump will examine. Technically speaking, ssldump supports the full expression syntax from PCAP and tcpdump. In fact, the description here is cribbed from the tcpdump man page. However, since ssldump needs to examine full TCP streams, most of the tcpdump expressions will select traffic mixes that ssldump will simply ignore.
SSLDUMP Examples
To listen to traffic on interface le0 port 443
ssldump -i le0 port 443
To listen to traffic to the server romeo on port 443.
ssldump -i le0 port 443 and host romeo
To decrypt traffic to to host romeo server.pem and the password foobar
ssldump -Ad -k ~/server.pem -p foobar -i le0 host romeo


Post a Comment

Thank you for taking the time to comment. Your opinion is important and of value and we appreciate the positive feedback! If you are "Negative Nancy" then please do us, and humanity, a favor, and piss off.

Total Pageviews

Google+ Followers


Blog Archive

Popular Posts

Recent Comments

Rays Twitter feed


Web sites come and go and information is lost and therefore some pages are archived. @rayd123. Powered by Blogger.