SSLDump

Description

ssldump is an SSL/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSL/TLS traffic. When it identifies SSL/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.

Usage

Syntax

ssldump [-r dumpfile] [-i interface] [-k keyfile] [-p password] [-vtaTnsAxVNde] [filter]

Options

       -a     Print bare TCP ACKs (useful for observing Nagle behavior)

       -A     Print  all  record  fields  (by default ssldump chooses the most
              interesting fields)

       -d     Display  the  application  data  traffic.  This  usually   means
              decrypting  it,  but  when  -d  is used ssldump will also decode
              application data traffic before the SSL session initiates.  This
              allows  you  to  see  HTTPS  CONNECT  behavior  as  well as SMTP
              STARTTLS. As a side effect, since  ssldump  can’t  tell  whether
              plaintext  is traffic before the initiation of an SSL connection
              or just a regular TCP connection, this allows you to use ssldump
              to  sniff any TCP connection.  ssldump will automatically detect
              ASCII data and display it directly to the screen. non-ASCII data
              is displayed as hex dumps. See also -X.

       -e     Print absolute timestamps instead of relative timestamps

       -H     Print the full SSL packet header.

       -n     Don’t try to resolve host names from IP addresses

       -N     Attempt  to parse ASN.1 when it appears, such as in certificates
              and DNs.

       -p     Use password as the SSL keyfile password.

       -P     Don’t put the interface into promiscuous mode. ssldump 

       -q     Don’t decode any record fields beyond  a  single  summary  line.
              (quiet mode).

       -T     Print the TCP headers. ssldump 

       -v     Display version and copyright information.

       -x     Print each record in hex, as well as decoding it.

       -X     When the -d option is used, binary data is automatically printed
              in two columns with a hex dump on the  left  and  the  printable
              characters  on  the  right.  -X  suppresses  the  display of the
              printable characters, thus making it easier to cut and paste the
              hex data into some other program.

       -y     Decorate  the  output  for processing with nroff/troff. Not very
              useful for the average user.

       -i interface
              Use interface as the network interface on which to sniff SSL/TLS
              traffic.

       -k keyfile
              Use  keyfile as the location of the SSL keyfile (OpenSSL format)
              Previous   versions   of   ssldump   automatically   looked   in
              ./server.pem.  Now you must specify your keyfile every time.

       -p password
              Use password as the SSL keyfile password.

       -r file
              Read  data  from  file  instead of from the network.  The old -f
              option still works  but  is  deprecated  and  will  probably  be
              removed with the next version.

       -S [ crypto | d | ht | H ]
              Specify SSL flags to ssldump.  These flags include:

              crypto Print cryptographic information.

              d      Print fields as decoded.

              ht     Print the handshake type.

              H      Print handshake type and highlights.

       expression
              Selects what packets ssldump will examine. Technically speaking,
              ssldump supports  the  full  expression  syntax  from  PCAP  and
              tcpdump.   In  fact,  the  description  here is cribbed from the
              tcpdump man page. However, since ssldump needs to  examine  full
              TCP streams, most of the tcpdump expressions will select traffic
              mixes that ssldump will  simply  ignore.  Only  the  expressions
              which don’t result in incomplete TCP streams are listed here.

              The  expression  consists of one or more primitives.  Primitives
              usually consist of an id (name or number)  preceded  by  one  or
              more qualifiers.  There are three different kinds of qualifier:

              type   qualifiers  say  what kind of thing the id name or number
                     refers to.  Possible types are host, net and port.  E.g.,
                     ‘host  foo’, ‘net 128.3’, ‘port 20’.  If there is no type
                     qualifier, host is assumed.

              dir    qualifiers specify a  particular  transfer  direction  to
                     and/or from id.  Possible directions are src, dst, src or
                     dst and src and dst.  E.g., ‘src foo’, ‘dst  net  128.3’,
                     ‘src   or  dst  port  ftp-data’.   If  there  is  no  dir
                     qualifier, src or dst is assumed.  For ‘null’ link layers
                     (i.e.  point to point protocols such as slip) the inbound
                     and outbound qualifiers can be used to specify a  desired
                     direction.

              More  complex filter expressions are built up by using the words
              and, or and not to combine primitives.  E.g., ‘host foo and  not
              port  ftp  and  not  port  ftp-data’.  To save typing, identical
              qualifier lists can be omitted.  E.g., ‘tcp dst port ftp or ftp-
              data  or domain’ is exactly the same as ‘tcp dst port ftp or tcp
              dst port ftp-data or tcp dst port domain’.

              Allowable primitives are:

              dst host host
                     True if the IPv4/v6 destination field of  the  packet  is
                     host, which may be either an address or a name.

              src host host
                     True if the IPv4/v6 source field of the packet is host.

              host host
                     True  if  either the IPv4/v6 source or destination of the
                     packet is host.  Any of the above host expressions can be
                     prepended with the keywords, ip, arp, rarp, or ip6 as in:
                          ip host host
                     which is equivalent to:
                          ether proto \ip and host host
                     If host is  a  name  with  multiple  IP  addresses,  each
                     address will be checked for a match.

              ether dst ehost
                     True if the ethernet destination address is ehost.  Ehost
                     may be either a name from /etc/ethers or  a  number  (see
                     ethers(3N) for numeric format).

              ether src ehost
                     True if the ethernet source address is ehost.

              ether host ehost
                     True if either the ethernet source or destination address
                     is ehost.

              gateway host
                     True if the packet used host as  a  gateway.   I.e.,  the
                     ethernet  source  or  destination  address  was  host but
                     neither the IP source nor the IP  destination  was  host.
                     Host  must be a name and must be found in both /etc/hosts
                     and /etc/ethers.  (An equivalent expression is
                          ether host ehost and not host host
                     which can be used with either names or numbers for host /
                     ehost.)   This  syntax  does  not  work  in  IPv6-enabled
                     configuration at this moment.

              dst net net
                     True if the IPv4/v6 destination address of the packet has
                     a  network  number  of net. Net may be either a name from
                     /etc/networks or a network number  (see  networks(4)  for
                     details).

              src net net
                     True  if  the  IPv4/v6 source address of the packet has a
                     network number of net.

              net net
                     True if either the IPv4/v6 source or destination  address
                     of the packet has a network number of net.

              net net mask mask
                     True  if  the  IP  address  matches net with the specific
                     netmask.  May be qualified with src or  dst.   Note  that
                     this syntax is not valid for IPv6 net.

              net net/len
                     True  if  the  IPv4/v6  address matches net a netmask len
                     bits wide.  May be qualified with src or dst.

              dst port port
                     True if the packet is ip/tcp, ip/udp, ip6/tcp or  ip6/udp
                     and  has  a destination port value of port.  The port can
                     be a number or a name used in /etc/services (see  tcp(4P)
                     and  udp(4P)).   If  a name is used, both the port number
                     and protocol are checked.  If a number or ambiguous  name
                     is  used, only the port number is checked (e.g., dst port
                     513  will  print  both  tcp/login  traffic  and   udp/who
                     traffic,  and  port domain will print both tcp/domain and
                     udp/domain traffic).

              src port port
                     True if the packet has a source port value of port.

              port port
                     True if either the source  or  destination  port  of  the
                     packet is port.  Any of the above port expressions can be
                     prepended with the keywords, tcp or udp, as in:
                          tcp src port port
                     which matches only tcp packets whose source port is port.

              Primitives may be combined using:

                     A   parenthesized   group  of  primitives  and  operators
                     (parentheses  are  special  to  the  Shell  and  must  be
                     escaped).

                     Negation (‘!ornot’).

                     Concatenation (‘&&orand’).

                     Alternation (‘||oror’).

              Negation  has highest precedence.  Alternation and concatenation
              have equal precedence and associate left to  right.   Note  that
              explicit  and  tokens,  not  juxtaposition, are now required for
              concatenation.

              If an identifier is given without a  keyword,  the  most  recent
              keyword is assumed.  For example,
                   not host vs and ace
              is short for
                   not host vs and host ace
              which should not be confused with 
                   not ( host vs or ace )

              Expression arguments can be passed to ssldump as either a single
              argument or as multiple arguments, whichever is more convenient.
              Generally,  if  the expression contains Shell metacharacters, it
              is easier to pass it as a  single,  quoted  argument.   Multiple
              arguments are concatenated with spaces before being parsed.

Example

To listen to traffic on interface eth0 on  port 80

cyborg@cyborg:~$ sudo ssldump -i eth0 port 80
[sudo] password for cyborg: 
New TCP connection #1: cyborg.local.lan(48147) <-> 117.18.237.29(80)
New TCP connection #2: cyborg.local.lan(60200) <-> maa03s18-in-f46.1e100.net(80)
1    16.1620 (16.1620)  S>C  TCP FIN
1    16.1621 (0.0001)  C>S  TCP FIN
New TCP connection #4: cyborg.local.lan(48818) <-> maa03s19-in-f14.1e100.net(80)
New TCP connection #3: cyborg.local.lan(48817) <-> maa03s19-in-f110.1e100.net(80)
New TCP connection #5: cyborg.local.lan(48819) <-> maa03s19-in-f14.1e100.net(80)
5    2.3274 (2.3274)  C>S  TCP FIN
3    2.4045 (2.4045)  C>S  TCP FIN
4    2.4045 (2.4045)  C>S  TCP FIN
2    56.0194 (56.0194)  C>S  TCP FIN
4    2.4936 (0.0891)  S>C  TCP FIN
5    2.4185 (0.0911)  S>C  TCP FIN
3    2.5010 (0.0964)  S>C  TCP FIN
2    56.1260 (0.1066)  S>C  TCP FIN

To listen to traffic on interface eth0 on  port 443 with handshake

cyborg@cyborg:~$ sudo ssldump -H -i eth0 port 443
New TCP connection #1: cyborg.local.lan(49422) <-> sb-in-f106.1e100.net(443)
1 1  0.1067 (0.1067)  C>S  Handshake
      ClientHello
        Version 3.3 
        cipher suites
        Unknown value 0xc02b
        Unknown value 0x39
        Unknown value 0x2f
        Unknown value 0x35
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        compression methods
                  NULL
1 2  0.2205 (0.1138)  S>C  Handshake
      ServerHello
        Version 3.3 
        session_id[0]=

        cipherSuite         Unknown value 0xc02f
        compressionMethod                   NULL
1 3  0.2238 (0.0032)  S>C  Handshake
      Certificate
1 4  0.2238 (0.0000)  S>C  Handshake
      ServerKeyExchange
1 5  0.2238 (0.0000)  S>C  Handshake
      ServerHelloDone
1 6  0.2314 (0.0076)  C>S  Handshake
      ClientKeyExchange
1 7  0.2314 (0.0000)  C>S  ChangeCipherSpec
1 8  0.2314 (0.0000)  C>S  Handshake
1 9  0.3479 (0.1164)  S>C  Handshake
      TLS_RSA_WITH_RC4_128_MD51 10 0.3479 (0.0000)  S>C  ChangeCipherSpec
1 11 0.3479 (0.0000)  S>C  Handshake
1 12 0.3480 (0.0001)  S>C  application_data
1 13 0.3483 (0.0002)  S>C  application_data
1 25 3.6785 (0.8519)  C>S  application_data
1 26 3.7963 (0.1177)  C>S  application_data
New TCP connection #2: cyborg.local.lan(46974) <-> sc-in-f94.1e100.net(443)
2 1  0.1111 (0.1111)  C>S  Handshake
      ClientHello
        Version 3.3 
        cipher suites
        Unknown value 0xc02b
        Unknown value 0xc02f
        Unknown value 0x39
        Unknown value 0x2f
        Unknown value 0x35
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        compression methods
                  NULL
2 2  0.2333 (0.1222)  S>C  Handshake
      ServerHello
        Version 3.3 
        session_id[0]=

        cipherSuite         Unknown value 0xc02b
        compressionMethod                   NULL
2 3  0.2382 (0.0049)  S>C  Handshake
      Certificate
2 4  0.2382 (0.0000)  S>C  Handshake
      ServerKeyExchange
2 5  0.2382 (0.0000)  S>C  Handshake
      ServerHelloDone
2 6  0.2467 (0.0085)  C>S  Handshake
      ClientKeyExchange
2 7  0.2467 (0.0000)  C>S  ChangeCipherSpec
2 8  0.2467 (0.0000)  C>S  Handshake
2 9  0.3646 (0.1178)  S>C  Handshake
      TLS_RSA_WITH_RC4_128_MD52 10 0.3646 (0.0000)  S>C  ChangeCipherSpec

To listen to traffic on interface eth0 on  port 80 ,-d is used ssldump will also decode application data traffic before the SSL session initiates.

cyborg@cyborg:~$ sudo ssldump -d -i eth0 port 80
New TCP connection #1: cyborg.local.lan(60228) <-> maa03s18-in-f14.1e100.net(80)
0.0921 (0.0921)  C>S
---------------------------------------------------------------
50 4f 53 54 20 2f 6f 63 73 70 20 48 54 54 50 2f    POST /ocsp HTTP/
31 2e 31 0d 0a 48 6f 73 74 3a 20 63 6c 69 65 6e    1.1..Host: clien
74 73 31 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 0d 0a    ts1.google.com..
55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69    User-Agent: Mozi
6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20 55 62    lla/5.0 (X11; Ub
75 6e 74 75 3b 20 4c 69 6e 75 78 20 78 38 36 5f    untu; Linux x86_
36 34 3b 20 72 76 3a 33 35 2e 30 29 20 47 65 63    64; rv:35.0) Gec
6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65    ko/20100101 Fire
66 6f 78 2f 33 35 2e 30 0d 0a 41 63 63 65 70 74    fox/35.0..Accept
3a 20 74 65 78 74 2f 68 74 6d 6c 2c 61 70 70 6c    : text/html,appl
69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d    ication/xhtml+xm
6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d    l,application/xm
6c 3b 71 3d 30 2e 39 2c 2a 2f 2a 3b 71 3d 30 2e    l;q=0.9,*/*;q=0.
38 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61    8..Accept-Langua
67 65 3a 20 65 6e 2d 55 53 2c 65 6e 3b 71 3d 30    ge: en-US,en;q=0
2e 35 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64    .5..Accept-Encod
69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61    ing: gzip, defla
74 65 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67    te..Content-Leng
74 68 3a 20 37 35 0d 0a 43 6f 6e 74 65 6e 74 2d    th: 75..Content-
54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f    Type: applicatio
6e 2f 6f 63 73 70 2d 72 65 71 75 65 73 74 0d 0a    n/ocsp-request..
43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70    Connection: keep
2d 61 6c 69 76 65 0d 0a 0d 0a 30 49 30 47 30 45    -alive....0I0G0E
30 43 30 41 30 09 06 05 2b 0e 03 02 1a 05 00 04    0C0A0...+.......
14 f2 e0 6a f9 85 8a 1d 8d 70 9b 49 19 23 7a a9    ...j.....p.I.#z.
b5 1a 28 7e 64 04 14 4a dd 06 16 1b bc f6 68 b5    ..(~d..J......h.
76 f5 81 b6 bb 62 1a ba 5a 81 2f 02 08 69 d8 c3    v....b..Z./..i..
a1 d0 45 20 f1                                     ..E .
---------------------------------------------------------------
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?