ssldump

Overview

ssldump is a network protocol analyzer specifically designed for SSL/TLS traffic. It captures SSL/TLS handshakes, decodes encrypted sessions, and analyzes protocol-level communications between clients and servers.

Key Features

Capture and decode SSL/TLS handshake messages
Display certificate information in real-time
Analyze encrypted traffic at protocol level
Extract cryptographic parameters
Debug TLS configuration issues
Monitor certificate chain details
Support for modern SSL/TLS versions
Cross-platform availability

Use Cases

SSL/TLS protocol analysis and debugging
Certificate validation testing
Encryption strength verification
Handshake troubleshooting
Security testing and penetration testing
Protocol compliance verification
Vulnerability assessment

Installation

Linux/Debian-based

sudo apt-get update
sudo apt-get install ssldump

macOS

brew install ssldump

CentOS/RHEL

sudo yum install ssldump

Build from Source

wget https://sourceforge.net/projects/ssldump/files/ssldump-1.0.1/ssldump-1.0.1.tar.gz
tar xzf ssldump-1.0.1.tar.gz
cd ssldump-1.0.1
./configure
make
sudo make install

Basic Commands

Command	Purpose
`ssldump -i eth0`	Capture SSL/TLS traffic on eth0 interface
`ssldump -i any`	Capture on all available interfaces
`ssldump port 443`	Filter capture to HTTPS traffic (port 443)
`ssldump -r capture.pcap`	Analyze SSL/TLS from saved PCAP file
`ssldump -s 64`	Show first 64 bytes of decrypted data
`ssldump -d`	Print detailed decoding
`ssldump -h`	Display help information
`ssldump -v`	Show version information

Capturing Live Traffic

Capture HTTPS Traffic on Default Interface

sudo ssldump -i eth0 port 443

Shows SSL/TLS handshakes and session information as packets arrive.

Capture on All Interfaces

sudo ssldump -i any port 443

Useful for multi-interface systems to catch traffic on any active connection.

Capture to Specific Host

sudo ssldump host 192.168.1.100

Filter to capture traffic with a specific host.

Capture Between Two Hosts

sudo ssldump 'host 192.168.1.100 and host 10.0.0.50'

Analyze communication between two specific systems.

Analyzing PCAP Files

Read Saved Packet Capture

ssldump -r capture.pcap

Analyze SSL/TLS from previously captured PCAP file without live capture.

Detailed Analysis of PCAP

ssldump -r capture.pcap -d

Display detailed protocol decoding of captured SSL/TLS sessions.

Extract Specific Sessions

ssldump -r capture.pcap 'port 443'

Filter PCAP analysis to specific port.

Analyze and Export

ssldump -r capture.pcap > ssl_analysis.txt

Save SSL/TLS analysis to file for documentation.

Certificate Analysis

Display Certificate Details During Handshake

sudo ssldump -i eth0 port 443

Captures and displays certificate information sent during TLS handshake:

New TCP connection #1: 192.168.1.100(55123) <-> 10.0.0.50(443)
1 1  0.0000 (0.0000)  C>S  Handshake
    ClientHello
1 2  0.0050 (0.0050)  S>C  Handshake
    ServerHello
1 3  0.0051 (0.0001)  S>C  Certificate
    Certificate chain:
    Certificate:
      Version: 3 (0x2)
      Serial Number: 0x1234567890abcdef
      Issuer: CN=server.example.com
      Subject: CN=server.example.com

Capture Certificate Chain

sudo ssldump port 443 > cert_analysis.log

Extract certificate information from capture file for later review.

Analyze Cipher Suites

sudo ssldump -d port 443

Detailed output shows negotiated cipher suites and TLS versions:

ServerHello
  version: TLS 1.2 (0x0303)
  session_id: <hex>
  cipher_suite: ECDHE_RSA_AES_256_GCM_SHA384
  compression_method: NULL

Protocol Analysis

Detailed Handshake Decoding

sudo ssldump -d -i eth0 port 443

Shows complete TLS handshake message breakdown:

ClientHello with supported cipher suites
ServerHello with chosen cipher
Certificate exchange
Key exchange parameters
Finished messages

Show Encrypted Data Content

sudo ssldump -s 256 port 443

Display first 256 bytes of encrypted application data for analysis.

Record Full Session

sudo ssldump -d port 443 2>&1 | tee session_analysis.txt

Capture both stdout and stderr to file for complete analysis.

Filtering and Display Options

Port-Based Filtering

# HTTPS only
sudo ssldump port 443

# SMTP over SSL (port 465)
sudo ssldump port 465

# IMAP over SSL (port 993)
sudo ssldump port 993

# Multiple ports
sudo ssldump 'port 443 or port 465 or port 993'

Host-Based Filtering

# Specific source
sudo ssldump src 192.168.1.100

# Specific destination
sudo ssldump dst 10.0.0.50

# Subnet
sudo ssldump net 192.168.1.0/24

Combined Filtering

# Specific host on specific port
sudo ssldump host 192.168.1.100 and port 443

# Exclude certain traffic
sudo ssldump 'port 443 and not host 192.168.1.50'

# Complex rules
sudo ssldump '(port 443 or port 465) and host 192.168.1.0/24'

Debugging TLS Issues

Test Server Certificate Configuration

# Connect to server and capture handshake
sudo ssldump host targetserver.com and port 443

Monitor certificate presentation and handshake process.

Analyze Connection Failures

sudo ssldump -d port 443

Detailed output reveals where handshake fails:

ERROR: Alert
  Type: Fatal
  Description: Certificate Unknown

Verify TLS Version Negotiation

sudo ssldump -d port 443

Check negotiated TLS version in ServerHello:

version: TLS 1.3 (0x0303)    # Modern TLS 1.3
version: TLS 1.2 (0x0303)    # Older TLS 1.2
version: SSL 3.0 (0x0300)    # Deprecated SSL 3.0

Monitor Cipher Suite Selection

sudo ssldump -d port 443 | grep cipher_suite

Verify server is selecting strong cipher suites.

Advanced Usage

Capture with tcpdump Integration

# Capture raw packets then analyze with ssldump
sudo tcpdump -i eth0 'tcp port 443' -w capture.pcap

# Later analyze the capture
ssldump -r capture.pcap -d

Combine with Network Diagnostics

# Monitor SSL/TLS while doing connectivity test
sudo ssldump -d port 443 &
DUMP_PID=$!

# Run your test
curl https://example.com

# Stop capture
kill $DUMP_PID

Log Analysis Session

# Capture with timestamps
sudo ssldump port 443 -d > ssl_session_$(date +%Y%m%d_%H%M%S).log

# Review captured session
tail -100 ssl_session_*.log

Monitor Multiple Services

#!/bin/bash
# Monitor multiple SSL/TLS ports
sudo ssldump '(port 443 or port 465 or port 993 or port 995)' -d | \
    tee multi_service_capture.log

Certificate Extraction

Export Certificate Information

# Capture and analyze
sudo ssldump -d port 443 > cert_details.txt

# Extract certificate from output
grep -A 50 "Certificate:" cert_details.txt

Verify Self-Signed Certificates

# Monitor connection to self-signed server
sudo ssldump host selfsigned.server.local and port 443

Output will show certificate details including:

Self-signed: Yes
Issuer: CN=selfsigned.server.local
Subject: CN=selfsigned.server.local

Check Certificate Validity Period

# Capture shows certificate validity
sudo ssldump -d port 443

# Output includes:
# Not Before: Jan 1 2023
# Not After: Dec 31 2024

Security Testing Scenarios

Test Client Certificate Authentication

# Monitor mutual TLS (mTLS) handshake
sudo ssldump -d 'host server and port 443'

Will show certificate exchange in both directions.

Verify Perfect Forward Secrecy

sudo ssldump -d port 443

Check cipher suite includes ECDHE or DHE:

cipher_suite: ECDHE_RSA_AES_256_GCM_SHA384

Good - uses ephemeral keys for forward secrecy.

cipher_suite: RSA_AES_256_CBC_SHA

Bad - uses static RSA keys, no forward secrecy.

Analyze Session Resumption

# Make two connections and capture both
sudo ssldump -d port 443

Look for session_id reuse or session ticket in resumed connections.

Performance Considerations

Capture High-Volume Traffic

# Use buffering for high-speed networks
sudo ssldump -B 100000 port 443

Increases internal buffer for less packet loss.

Limit Packet Snapshots

# Limit payload capture to 128 bytes
sudo ssldump -s 128 port 443

Reduces CPU usage when analyzing large volumes.

Integration with Other Tools

Use with Wireshark

# Capture with tcpdump for Wireshark analysis
sudo tcpdump -i eth0 'tcp port 443' -w capture.pcap

# Then open in Wireshark with SSL/TLS dissector
wireshark capture.pcap

# Or analyze with ssldump
ssldump -r capture.pcap -d

Combine with OpenSSL

# Capture traffic while testing with openssl
sudo ssldump port 443 &
DUMP_PID=$!

openssl s_client -connect example.com:443

kill $DUMP_PID

Automated Analysis Script

#!/bin/bash
# Analyze SSL/TLS traffic and generate report
INTERFACE="eth0"
DURATION=60

echo "Starting SSL/TLS capture for ${DURATION} seconds..."
sudo timeout $DURATION ssldump -i $INTERFACE port 443 -d > ssl_capture.txt

echo "Analysis:"
echo "========="
echo "Total handshakes:"
grep -c "ClientHello" ssl_capture.txt

echo "TLS versions used:"
grep "version:" ssl_capture.txt | sort | uniq -c

echo "Cipher suites negotiated:"
grep "cipher_suite:" ssl_capture.txt | sort | uniq -c

echo "Hosts contacted:"
grep "New TCP" ssl_capture.txt | awk '{print $7}' | sort | uniq

Troubleshooting

No Traffic Captured

Issue: ssldump shows no output despite SSL traffic occurring.

Solution:

# Verify interface is correct
ip link show

# Try capturing all traffic first
sudo ssldump -i eth0

# Check if port filter is too restrictive
sudo ssldump 'port 443 or port 465'

Permission Denied

Issue: Getting permission error when starting capture.

Solution:

# ssldump requires root or appropriate capabilities
sudo ssldump -i eth0

# Or grant capabilities (if preferred over sudo)
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/ssldump

Decoding Issues

Issue: Traffic captured but not properly decoded.

Solution:

# Ensure you're using correct TLS version flags
ssldump -r capture.pcap -d

# Check if traffic is actually SSL/TLS
tcpdump -r capture.pcap 'port 443' | head

# Verify with tcpdump first
tcpdump -i eth0 'port 443' -c 10

Best Practices

Security Considerations

Practice	Reason
Use in controlled environments	Avoid privacy violations
Document authorization	Ensure proper authorization exists
Protect capture files	Contains sensitive protocol data
Don’t store decrypted content	Minimize data retention
Review legal requirements	Check applicable regulations

Operational Best Practices

# Include timestamps
sudo ssldump port 443 | while read line; do
    echo "$(date '+%Y-%m-%d %H:%M:%S') $line"
done

# Rotate large captures
sudo ssldump -r capture.pcap | split -l 1000 - analysis_

# Archive captures
tar czf ssl_captures_$(date +%Y%m%d).tar.gz *.log

References

Official Project: ssldump SourceForge
Man Page: man ssldump
TLS Protocol: RFC 5246 (TLS 1.2), RFC 8446 (TLS 1.3)
SSL/TLS Analysis: Mozilla SSL Configuration

Quick Reference

# Live capture on HTTPS
sudo ssldump port 443

# Detailed handshake analysis
sudo ssldump -d port 443

# Analyze saved capture
ssldump -r capture.pcap

# Specific host and detailed output
sudo ssldump -d host example.com

# Show encrypted payload (256 bytes)
sudo ssldump -s 256 port 443

# Save analysis to file
sudo ssldump -d port 443 > analysis.log

# Monitor with timestamps
sudo ssldump port 443 | while read l; do echo "$(date) $l"; done