ssldump
Overview
Section titled “Overview”ssldump is a network protocol analyzer specifically designed for SSL/TLS traffic. It captures SSL/TLS handshakes, decodes encrypted sessions, and analyzes protocol-level communications between clients and servers.
Key Features
Section titled “Key Features”- Capture and decode SSL/TLS handshake messages
- Display certificate information in real-time
- Analyze encrypted traffic at protocol level
- Extract cryptographic parameters
- Debug TLS configuration issues
- Monitor certificate chain details
- Support for modern SSL/TLS versions
- Cross-platform availability
Use Cases
Section titled “Use Cases”- SSL/TLS protocol analysis and debugging
- Certificate validation testing
- Encryption strength verification
- Handshake troubleshooting
- Security testing and penetration testing
- Protocol compliance verification
- Vulnerability assessment
Installation
Section titled “Installation”Linux/Debian-based
Section titled “Linux/Debian-based”sudo apt-get update
sudo apt-get install ssldumpbrew install ssldumpCentOS/RHEL
Section titled “CentOS/RHEL”sudo yum install ssldumpBuild from Source
Section titled “Build from Source”wget https://sourceforge.net/projects/ssldump/files/ssldump-1.0.1/ssldump-1.0.1.tar.gz
tar xzf ssldump-1.0.1.tar.gz
cd ssldump-1.0.1
./configure
make
sudo make installBasic Commands
Section titled “Basic Commands”| Command | Purpose |
|---|---|
ssldump -i eth0 | Capture SSL/TLS traffic on eth0 interface |
ssldump -i any | Capture on all available interfaces |
ssldump port 443 | Filter capture to HTTPS traffic (port 443) |
ssldump -r capture.pcap | Analyze SSL/TLS from saved PCAP file |
ssldump -s 64 | Show first 64 bytes of decrypted data |
ssldump -d | Print detailed decoding |
ssldump -h | Display help information |
ssldump -v | Show version information |
Capturing Live Traffic
Section titled “Capturing Live Traffic”Capture HTTPS Traffic on Default Interface
Section titled “Capture HTTPS Traffic on Default Interface”sudo ssldump -i eth0 port 443Shows SSL/TLS handshakes and session information as packets arrive.
Capture on All Interfaces
Section titled “Capture on All Interfaces”sudo ssldump -i any port 443Useful for multi-interface systems to catch traffic on any active connection.
Capture to Specific Host
Section titled “Capture to Specific Host”sudo ssldump host 192.168.1.100Filter to capture traffic with a specific host.
Capture Between Two Hosts
Section titled “Capture Between Two Hosts”sudo ssldump 'host 192.168.1.100 and host 10.0.0.50'Analyze communication between two specific systems.
Analyzing PCAP Files
Section titled “Analyzing PCAP Files”Read Saved Packet Capture
Section titled “Read Saved Packet Capture”ssldump -r capture.pcapAnalyze SSL/TLS from previously captured PCAP file without live capture.
Detailed Analysis of PCAP
Section titled “Detailed Analysis of PCAP”ssldump -r capture.pcap -dDisplay detailed protocol decoding of captured SSL/TLS sessions.
Extract Specific Sessions
Section titled “Extract Specific Sessions”ssldump -r capture.pcap 'port 443'Filter PCAP analysis to specific port.
Analyze and Export
Section titled “Analyze and Export”ssldump -r capture.pcap > ssl_analysis.txtSave SSL/TLS analysis to file for documentation.
Certificate Analysis
Section titled “Certificate Analysis”Display Certificate Details During Handshake
Section titled “Display Certificate Details During Handshake”sudo ssldump -i eth0 port 443Captures and displays certificate information sent during TLS handshake:
New TCP connection #1: 192.168.1.100(55123) <-> 10.0.0.50(443)
1 1 0.0000 (0.0000) C>S Handshake
ClientHello
1 2 0.0050 (0.0050) S>C Handshake
ServerHello
1 3 0.0051 (0.0001) S>C Certificate
Certificate chain:
Certificate:
Version: 3 (0x2)
Serial Number: 0x1234567890abcdef
Issuer: CN=server.example.com
Subject: CN=server.example.comCapture Certificate Chain
Section titled “Capture Certificate Chain”sudo ssldump port 443 > cert_analysis.logExtract certificate information from capture file for later review.
Analyze Cipher Suites
Section titled “Analyze Cipher Suites”sudo ssldump -d port 443Detailed output shows negotiated cipher suites and TLS versions:
ServerHello
version: TLS 1.2 (0x0303)
session_id: <hex>
cipher_suite: ECDHE_RSA_AES_256_GCM_SHA384
compression_method: NULLProtocol Analysis
Section titled “Protocol Analysis”Detailed Handshake Decoding
Section titled “Detailed Handshake Decoding”sudo ssldump -d -i eth0 port 443Shows complete TLS handshake message breakdown:
- ClientHello with supported cipher suites
- ServerHello with chosen cipher
- Certificate exchange
- Key exchange parameters
- Finished messages
Show Encrypted Data Content
Section titled “Show Encrypted Data Content”sudo ssldump -s 256 port 443Display first 256 bytes of encrypted application data for analysis.
Record Full Session
Section titled “Record Full Session”sudo ssldump -d port 443 2>&1 | tee session_analysis.txtCapture both stdout and stderr to file for complete analysis.
Filtering and Display Options
Section titled “Filtering and Display Options”Port-Based Filtering
Section titled “Port-Based Filtering”# HTTPS only
sudo ssldump port 443
# SMTP over SSL (port 465)
sudo ssldump port 465
# IMAP over SSL (port 993)
sudo ssldump port 993
# Multiple ports
sudo ssldump 'port 443 or port 465 or port 993'Host-Based Filtering
Section titled “Host-Based Filtering”# Specific source
sudo ssldump src 192.168.1.100
# Specific destination
sudo ssldump dst 10.0.0.50
# Subnet
sudo ssldump net 192.168.1.0/24Combined Filtering
Section titled “Combined Filtering”# Specific host on specific port
sudo ssldump host 192.168.1.100 and port 443
# Exclude certain traffic
sudo ssldump 'port 443 and not host 192.168.1.50'
# Complex rules
sudo ssldump '(port 443 or port 465) and host 192.168.1.0/24'Debugging TLS Issues
Section titled “Debugging TLS Issues”Test Server Certificate Configuration
Section titled “Test Server Certificate Configuration”# Connect to server and capture handshake
sudo ssldump host targetserver.com and port 443Monitor certificate presentation and handshake process.
Analyze Connection Failures
Section titled “Analyze Connection Failures”sudo ssldump -d port 443Detailed output reveals where handshake fails:
ERROR: Alert
Type: Fatal
Description: Certificate UnknownVerify TLS Version Negotiation
Section titled “Verify TLS Version Negotiation”sudo ssldump -d port 443Check negotiated TLS version in ServerHello:
version: TLS 1.3 (0x0303) # Modern TLS 1.3
version: TLS 1.2 (0x0303) # Older TLS 1.2
version: SSL 3.0 (0x0300) # Deprecated SSL 3.0Monitor Cipher Suite Selection
Section titled “Monitor Cipher Suite Selection”sudo ssldump -d port 443 | grep cipher_suiteVerify server is selecting strong cipher suites.
Advanced Usage
Section titled “Advanced Usage”Capture with tcpdump Integration
Section titled “Capture with tcpdump Integration”# Capture raw packets then analyze with ssldump
sudo tcpdump -i eth0 'tcp port 443' -w capture.pcap
# Later analyze the capture
ssldump -r capture.pcap -dCombine with Network Diagnostics
Section titled “Combine with Network Diagnostics”# Monitor SSL/TLS while doing connectivity test
sudo ssldump -d port 443 &
DUMP_PID=$!
# Run your test
curl https://example.com
# Stop capture
kill $DUMP_PIDLog Analysis Session
Section titled “Log Analysis Session”# Capture with timestamps
sudo ssldump port 443 -d > ssl_session_$(date +%Y%m%d_%H%M%S).log
# Review captured session
tail -100 ssl_session_*.logMonitor Multiple Services
Section titled “Monitor Multiple Services”#!/bin/bash
# Monitor multiple SSL/TLS ports
sudo ssldump '(port 443 or port 465 or port 993 or port 995)' -d | \
tee multi_service_capture.logCertificate Extraction
Section titled “Certificate Extraction”Export Certificate Information
Section titled “Export Certificate Information”# Capture and analyze
sudo ssldump -d port 443 > cert_details.txt
# Extract certificate from output
grep -A 50 "Certificate:" cert_details.txtVerify Self-Signed Certificates
Section titled “Verify Self-Signed Certificates”# Monitor connection to self-signed server
sudo ssldump host selfsigned.server.local and port 443Output will show certificate details including:
Self-signed: Yes
Issuer: CN=selfsigned.server.local
Subject: CN=selfsigned.server.localCheck Certificate Validity Period
Section titled “Check Certificate Validity Period”# Capture shows certificate validity
sudo ssldump -d port 443
# Output includes:
# Not Before: Jan 1 2023
# Not After: Dec 31 2024Security Testing Scenarios
Section titled “Security Testing Scenarios”Test Client Certificate Authentication
Section titled “Test Client Certificate Authentication”# Monitor mutual TLS (mTLS) handshake
sudo ssldump -d 'host server and port 443'Will show certificate exchange in both directions.
Verify Perfect Forward Secrecy
Section titled “Verify Perfect Forward Secrecy”sudo ssldump -d port 443Check cipher suite includes ECDHE or DHE:
cipher_suite: ECDHE_RSA_AES_256_GCM_SHA384Good - uses ephemeral keys for forward secrecy.
cipher_suite: RSA_AES_256_CBC_SHABad - uses static RSA keys, no forward secrecy.
Analyze Session Resumption
Section titled “Analyze Session Resumption”# Make two connections and capture both
sudo ssldump -d port 443Look for session_id reuse or session ticket in resumed connections.
Performance Considerations
Section titled “Performance Considerations”Capture High-Volume Traffic
Section titled “Capture High-Volume Traffic”# Use buffering for high-speed networks
sudo ssldump -B 100000 port 443Increases internal buffer for less packet loss.
Limit Packet Snapshots
Section titled “Limit Packet Snapshots”# Limit payload capture to 128 bytes
sudo ssldump -s 128 port 443Reduces CPU usage when analyzing large volumes.
Integration with Other Tools
Section titled “Integration with Other Tools”Use with Wireshark
Section titled “Use with Wireshark”# Capture with tcpdump for Wireshark analysis
sudo tcpdump -i eth0 'tcp port 443' -w capture.pcap
# Then open in Wireshark with SSL/TLS dissector
wireshark capture.pcap
# Or analyze with ssldump
ssldump -r capture.pcap -dCombine with OpenSSL
Section titled “Combine with OpenSSL”# Capture traffic while testing with openssl
sudo ssldump port 443 &
DUMP_PID=$!
openssl s_client -connect example.com:443
kill $DUMP_PIDAutomated Analysis Script
Section titled “Automated Analysis Script”#!/bin/bash
# Analyze SSL/TLS traffic and generate report
INTERFACE="eth0"
DURATION=60
echo "Starting SSL/TLS capture for ${DURATION} seconds..."
sudo timeout $DURATION ssldump -i $INTERFACE port 443 -d > ssl_capture.txt
echo "Analysis:"
echo "========="
echo "Total handshakes:"
grep -c "ClientHello" ssl_capture.txt
echo "TLS versions used:"
grep "version:" ssl_capture.txt | sort | uniq -c
echo "Cipher suites negotiated:"
grep "cipher_suite:" ssl_capture.txt | sort | uniq -c
echo "Hosts contacted:"
grep "New TCP" ssl_capture.txt | awk '{print $7}' | sort | uniqTroubleshooting
Section titled “Troubleshooting”No Traffic Captured
Section titled “No Traffic Captured”Issue: ssldump shows no output despite SSL traffic occurring.
Solution:
# Verify interface is correct
ip link show
# Try capturing all traffic first
sudo ssldump -i eth0
# Check if port filter is too restrictive
sudo ssldump 'port 443 or port 465'Permission Denied
Section titled “Permission Denied”Issue: Getting permission error when starting capture.
Solution:
# ssldump requires root or appropriate capabilities
sudo ssldump -i eth0
# Or grant capabilities (if preferred over sudo)
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/ssldumpDecoding Issues
Section titled “Decoding Issues”Issue: Traffic captured but not properly decoded.
Solution:
# Ensure you're using correct TLS version flags
ssldump -r capture.pcap -d
# Check if traffic is actually SSL/TLS
tcpdump -r capture.pcap 'port 443' | head
# Verify with tcpdump first
tcpdump -i eth0 'port 443' -c 10Best Practices
Section titled “Best Practices”Security Considerations
Section titled “Security Considerations”| Practice | Reason |
|---|---|
| Use in controlled environments | Avoid privacy violations |
| Document authorization | Ensure proper authorization exists |
| Protect capture files | Contains sensitive protocol data |
| Don’t store decrypted content | Minimize data retention |
| Review legal requirements | Check applicable regulations |
Operational Best Practices
Section titled “Operational Best Practices”# Include timestamps
sudo ssldump port 443 | while read line; do
echo "$(date '+%Y-%m-%d %H:%M:%S') $line"
done
# Rotate large captures
sudo ssldump -r capture.pcap | split -l 1000 - analysis_
# Archive captures
tar czf ssl_captures_$(date +%Y%m%d).tar.gz *.logReferences
Section titled “References”- Official Project: ssldump SourceForge
- Man Page:
man ssldump - TLS Protocol: RFC 5246 (TLS 1.2), RFC 8446 (TLS 1.3)
- SSL/TLS Analysis: Mozilla SSL Configuration
Quick Reference
Section titled “Quick Reference”# Live capture on HTTPS
sudo ssldump port 443
# Detailed handshake analysis
sudo ssldump -d port 443
# Analyze saved capture
ssldump -r capture.pcap
# Specific host and detailed output
sudo ssldump -d host example.com
# Show encrypted payload (256 bytes)
sudo ssldump -s 256 port 443
# Save analysis to file
sudo ssldump -d port 443 > analysis.log
# Monitor with timestamps
sudo ssldump port 443 | while read l; do echo "$(date) $l"; done