ssldump
Overview
Seção intitulada “Overview”ssldump is a network protocol analyzer specifically designed for SSL/TLS traffic. It captures SSL/TLS handshakes, decodes encrypted sessions, and analyzes protocol-level communications between clients and servers.
Key Features
Seção intitulada “Key Features”- Capture and decode SSL/TLS handshake messages
- Display certificate information in real-time
- Analyze encrypted traffic at protocol level
- Extract cryptographic parameters
- Debug TLS configuration issues
- Monitor certificate chain details
- Support for modern SSL/TLS versions
- Cross-platform availability
Use Cases
Seção intitulada “Use Cases”- SSL/TLS protocol analysis and debugging
- Certificate validation testing
- Encryption strength verification
- Handshake troubleshooting
- Security testing and penetration testing
- Protocol compliance verification
- Vulnerability assessment
Installation
Seção intitulada “Installation”Linux/Debian-based
Seção intitulada “Linux/Debian-based”sudo apt-get update
sudo apt-get install ssldumpbrew install ssldumpCentOS/RHEL
Seção intitulada “CentOS/RHEL”sudo yum install ssldumpBuild from Source
Seção intitulada “Build from Source”wget https://sourceforge.net/projects/ssldump/files/ssldump-1.0.1/ssldump-1.0.1.tar.gz
tar xzf ssldump-1.0.1.tar.gz
cd ssldump-1.0.1
./configure
make
sudo make installBasic Commands
Seção intitulada “Basic Commands”| Command | Purpose |
|---|---|
ssldump -i eth0 | Capture SSL/TLS traffic on eth0 interface |
ssldump -i any | Capture on all available interfaces |
ssldump port 443 | Filter capture to HTTPS traffic (port 443) |
ssldump -r capture.pcap | Analyze SSL/TLS from saved PCAP file |
ssldump -s 64 | Show first 64 bytes of decrypted data |
ssldump -d | Print detailed decoding |
ssldump -h | Display help information |
ssldump -v | Show version information |
Capturing Live Traffic
Seção intitulada “Capturing Live Traffic”Capture HTTPS Traffic on Default Interface
Seção intitulada “Capture HTTPS Traffic on Default Interface”sudo ssldump -i eth0 port 443Shows SSL/TLS handshakes and session information as packets arrive.
Capture on All Interfaces
Seção intitulada “Capture on All Interfaces”sudo ssldump -i any port 443Useful for multi-interface systems to catch traffic on any active connection.
Capture to Specific Host
Seção intitulada “Capture to Specific Host”sudo ssldump host 192.168.1.100Filter to capture traffic with a specific host.
Capture Between Two Hosts
Seção intitulada “Capture Between Two Hosts”sudo ssldump 'host 192.168.1.100 and host 10.0.0.50'Analyze communication between two specific systems.
Analyzing PCAP Files
Seção intitulada “Analyzing PCAP Files”Read Saved Packet Capture
Seção intitulada “Read Saved Packet Capture”ssldump -r capture.pcapAnalyze SSL/TLS from previously captured PCAP file without live capture.
Detailed Analysis of PCAP
Seção intitulada “Detailed Analysis of PCAP”ssldump -r capture.pcap -dDisplay detailed protocol decoding of captured SSL/TLS sessions.
Extract Specific Sessions
Seção intitulada “Extract Specific Sessions”ssldump -r capture.pcap 'port 443'Filter PCAP analysis to specific port.
Analyze and Export
Seção intitulada “Analyze and Export”ssldump -r capture.pcap > ssl_analysis.txtSave SSL/TLS analysis to file for documentation.
Certificate Analysis
Seção intitulada “Certificate Analysis”Display Certificate Details During Handshake
Seção intitulada “Display Certificate Details During Handshake”sudo ssldump -i eth0 port 443Captures and displays certificate information sent during TLS handshake:
New TCP connection #1: 192.168.1.100(55123) <-> 10.0.0.50(443)
1 1 0.0000 (0.0000) C>S Handshake
ClientHello
1 2 0.0050 (0.0050) S>C Handshake
ServerHello
1 3 0.0051 (0.0001) S>C Certificate
Certificate chain:
Certificate:
Version: 3 (0x2)
Serial Number: 0x1234567890abcdef
Issuer: CN=server.example.com
Subject: CN=server.example.comCapture Certificate Chain
Seção intitulada “Capture Certificate Chain”sudo ssldump port 443 > cert_analysis.logExtract certificate information from capture file for later review.
Analyze Cipher Suites
Seção intitulada “Analyze Cipher Suites”sudo ssldump -d port 443Detailed output shows negotiated cipher suites and TLS versions:
ServerHello
version: TLS 1.2 (0x0303)
session_id: <hex>
cipher_suite: ECDHE_RSA_AES_256_GCM_SHA384
compression_method: NULLProtocol Analysis
Seção intitulada “Protocol Analysis”Detailed Handshake Decoding
Seção intitulada “Detailed Handshake Decoding”sudo ssldump -d -i eth0 port 443Shows complete TLS handshake message breakdown:
- ClientHello with supported cipher suites
- ServerHello with chosen cipher
- Certificate exchange
- Key exchange parameters
- Finished messages
Show Encrypted Data Content
Seção intitulada “Show Encrypted Data Content”sudo ssldump -s 256 port 443Display first 256 bytes of encrypted application data for analysis.
Record Full Session
Seção intitulada “Record Full Session”sudo ssldump -d port 443 2>&1 | tee session_analysis.txtCapture both stdout and stderr to file for complete analysis.
Filtering and Display Options
Seção intitulada “Filtering and Display Options”Port-Based Filtering
Seção intitulada “Port-Based Filtering”# HTTPS only
sudo ssldump port 443
# SMTP over SSL (port 465)
sudo ssldump port 465
# IMAP over SSL (port 993)
sudo ssldump port 993
# Multiple ports
sudo ssldump 'port 443 or port 465 or port 993'Host-Based Filtering
Seção intitulada “Host-Based Filtering”# Specific source
sudo ssldump src 192.168.1.100
# Specific destination
sudo ssldump dst 10.0.0.50
# Subnet
sudo ssldump net 192.168.1.0/24Combined Filtering
Seção intitulada “Combined Filtering”# Specific host on specific port
sudo ssldump host 192.168.1.100 and port 443
# Exclude certain traffic
sudo ssldump 'port 443 and not host 192.168.1.50'
# Complex rules
sudo ssldump '(port 443 or port 465) and host 192.168.1.0/24'Debugging TLS Issues
Seção intitulada “Debugging TLS Issues”Test Server Certificate Configuration
Seção intitulada “Test Server Certificate Configuration”# Connect to server and capture handshake
sudo ssldump host targetserver.com and port 443Monitor certificate presentation and handshake process.
Analyze Connection Failures
Seção intitulada “Analyze Connection Failures”sudo ssldump -d port 443Detailed output reveals where handshake fails:
ERROR: Alert
Type: Fatal
Description: Certificate UnknownVerify TLS Version Negotiation
Seção intitulada “Verify TLS Version Negotiation”sudo ssldump -d port 443Check negotiated TLS version in ServerHello:
version: TLS 1.3 (0x0303) # Modern TLS 1.3
version: TLS 1.2 (0x0303) # Older TLS 1.2
version: SSL 3.0 (0x0300) # Deprecated SSL 3.0Monitor Cipher Suite Selection
Seção intitulada “Monitor Cipher Suite Selection”sudo ssldump -d port 443 | grep cipher_suiteVerify server is selecting strong cipher suites.
Advanced Usage
Seção intitulada “Advanced Usage”Capture with tcpdump Integration
Seção intitulada “Capture with tcpdump Integration”# Capture raw packets then analyze with ssldump
sudo tcpdump -i eth0 'tcp port 443' -w capture.pcap
# Later analyze the capture
ssldump -r capture.pcap -dCombine with Network Diagnostics
Seção intitulada “Combine with Network Diagnostics”# Monitor SSL/TLS while doing connectivity test
sudo ssldump -d port 443 &
DUMP_PID=$!
# Run your test
curl https://example.com
# Stop capture
kill $DUMP_PIDLog Analysis Session
Seção intitulada “Log Analysis Session”# Capture with timestamps
sudo ssldump port 443 -d > ssl_session_$(date +%Y%m%d_%H%M%S).log
# Review captured session
tail -100 ssl_session_*.logMonitor Multiple Services
Seção intitulada “Monitor Multiple Services”#!/bin/bash
# Monitor multiple SSL/TLS ports
sudo ssldump '(port 443 or port 465 or port 993 or port 995)' -d | \
tee multi_service_capture.logCertificate Extraction
Seção intitulada “Certificate Extraction”Export Certificate Information
Seção intitulada “Export Certificate Information”# Capture and analyze
sudo ssldump -d port 443 > cert_details.txt
# Extract certificate from output
grep -A 50 "Certificate:" cert_details.txtVerify Self-Signed Certificates
Seção intitulada “Verify Self-Signed Certificates”# Monitor connection to self-signed server
sudo ssldump host selfsigned.server.local and port 443Output will show certificate details including:
Self-signed: Yes
Issuer: CN=selfsigned.server.local
Subject: CN=selfsigned.server.localCheck Certificate Validity Period
Seção intitulada “Check Certificate Validity Period”# Capture shows certificate validity
sudo ssldump -d port 443
# Output includes:
# Not Before: Jan 1 2023
# Not After: Dec 31 2024Security Testing Scenarios
Seção intitulada “Security Testing Scenarios”Test Client Certificate Authentication
Seção intitulada “Test Client Certificate Authentication”# Monitor mutual TLS (mTLS) handshake
sudo ssldump -d 'host server and port 443'Will show certificate exchange in both directions.
Verify Perfect Forward Secrecy
Seção intitulada “Verify Perfect Forward Secrecy”sudo ssldump -d port 443Check cipher suite includes ECDHE or DHE:
cipher_suite: ECDHE_RSA_AES_256_GCM_SHA384Good - uses ephemeral keys for forward secrecy.
cipher_suite: RSA_AES_256_CBC_SHABad - uses static RSA keys, no forward secrecy.
Analyze Session Resumption
Seção intitulada “Analyze Session Resumption”# Make two connections and capture both
sudo ssldump -d port 443Look for session_id reuse or session ticket in resumed connections.
Performance Considerations
Seção intitulada “Performance Considerations”Capture High-Volume Traffic
Seção intitulada “Capture High-Volume Traffic”# Use buffering for high-speed networks
sudo ssldump -B 100000 port 443Increases internal buffer for less packet loss.
Limit Packet Snapshots
Seção intitulada “Limit Packet Snapshots”# Limit payload capture to 128 bytes
sudo ssldump -s 128 port 443Reduces CPU usage when analyzing large volumes.
Integration with Other Tools
Seção intitulada “Integration with Other Tools”Use with Wireshark
Seção intitulada “Use with Wireshark”# Capture with tcpdump for Wireshark analysis
sudo tcpdump -i eth0 'tcp port 443' -w capture.pcap
# Then open in Wireshark with SSL/TLS dissector
wireshark capture.pcap
# Or analyze with ssldump
ssldump -r capture.pcap -dCombine with OpenSSL
Seção intitulada “Combine with OpenSSL”# Capture traffic while testing with openssl
sudo ssldump port 443 &
DUMP_PID=$!
openssl s_client -connect example.com:443
kill $DUMP_PIDAutomated Analysis Script
Seção intitulada “Automated Analysis Script”#!/bin/bash
# Analyze SSL/TLS traffic and generate report
INTERFACE="eth0"
DURATION=60
echo "Starting SSL/TLS capture for ${DURATION} seconds..."
sudo timeout $DURATION ssldump -i $INTERFACE port 443 -d > ssl_capture.txt
echo "Analysis:"
echo "========="
echo "Total handshakes:"
grep -c "ClientHello" ssl_capture.txt
echo "TLS versions used:"
grep "version:" ssl_capture.txt | sort | uniq -c
echo "Cipher suites negotiated:"
grep "cipher_suite:" ssl_capture.txt | sort | uniq -c
echo "Hosts contacted:"
grep "New TCP" ssl_capture.txt | awk '{print $7}' | sort | uniqTroubleshooting
Seção intitulada “Troubleshooting”No Traffic Captured
Seção intitulada “No Traffic Captured”Issue: ssldump shows no output despite SSL traffic occurring.
Solution:
# Verify interface is correct
ip link show
# Try capturing all traffic first
sudo ssldump -i eth0
# Check if port filter is too restrictive
sudo ssldump 'port 443 or port 465'Permission Denied
Seção intitulada “Permission Denied”Issue: Getting permission error when starting capture.
Solution:
# ssldump requires root or appropriate capabilities
sudo ssldump -i eth0
# Or grant capabilities (if preferred over sudo)
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/ssldumpDecoding Issues
Seção intitulada “Decoding Issues”Issue: Traffic captured but not properly decoded.
Solution:
# Ensure you're using correct TLS version flags
ssldump -r capture.pcap -d
# Check if traffic is actually SSL/TLS
tcpdump -r capture.pcap 'port 443' | head
# Verify with tcpdump first
tcpdump -i eth0 'port 443' -c 10Best Practices
Seção intitulada “Best Practices”Security Considerations
Seção intitulada “Security Considerations”| Practice | Reason |
|---|---|
| Use in controlled environments | Avoid privacy violations |
| Document authorization | Ensure proper authorization exists |
| Protect capture files | Contains sensitive protocol data |
| Don’t store decrypted content | Minimize data retention |
| Review legal requirements | Check applicable regulations |
Operational Best Practices
Seção intitulada “Operational Best Practices”# Include timestamps
sudo ssldump port 443 | while read line; do
echo "$(date '+%Y-%m-%d %H:%M:%S') $line"
done
# Rotate large captures
sudo ssldump -r capture.pcap | split -l 1000 - analysis_
# Archive captures
tar czf ssl_captures_$(date +%Y%m%d).tar.gz *.logReferences
Seção intitulada “References”- Official Project: ssldump SourceForge
- Man Page:
man ssldump - TLS Protocol: RFC 5246 (TLS 1.2), RFC 8446 (TLS 1.3)
- SSL/TLS Analysis: Mozilla SSL Configuration
Quick Reference
Seção intitulada “Quick Reference”# Live capture on HTTPS
sudo ssldump port 443
# Detailed handshake analysis
sudo ssldump -d port 443
# Analyze saved capture
ssldump -r capture.pcap
# Specific host and detailed output
sudo ssldump -d host example.com
# Show encrypted payload (256 bytes)
sudo ssldump -s 256 port 443
# Save analysis to file
sudo ssldump -d port 443 > analysis.log
# Monitor with timestamps
sudo ssldump port 443 | while read l; do echo "$(date) $l"; done