WARNING: THIS CODE IS NOT BEING MAINTAINED. ANY USE OF THIS CODE IS AS-IS WITH FULL ASSUMPTION OF ALL RISK THAT MAY EXIST OR ARISE.

ssldump home page

ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.

ssldump 0.9b3

The current version is 0.9b3

ssldump 0.9b3 contains a number of fixes and enhancements over 0.9b2, including.

Security fix: some potential over and underflows
Added support for VLANs.
Added -P flag to disable promiscuous mode.
A lot of bug fixes.

See the ChangeLog for a more complete list of changes.

Security Note

version 0.9b3 fixes two security problems with protocol decoding. If you run ssldump in an environment where an attacker might be able to send you network packets, you should upgrade immediately.

Dependencies

ssldump depends on the libpcap packet capture library. Some systems (e.g. FreeBSD) now have libpcap as part of their standard install. On other systems, you will need to install it. You can obtain the distribution from http://www.tcpdump.org.

If linked with OpenSSL, ssldump can display certificates in decoded form and decrypt traffic (provided that it has the appropriate keying material). Again, OpenSSL may be installed on your system. Otherwise you can obtain it from http://www.openssl.org

Downloading

The distribution is available from sourceforge here

The CVS tree, containing the latest source (probably unstable) is available here, courtesy of

Compatibility

ssldump is known to work on FreeBSD, Linux, Solaris, and HP/UX but should work on any platform with pcap. If you encounter problems, please report them. The Windows port is new as of this release and so it has received only modest testing.

Documentation

Some documentation can be found here.

Sample Output

Here's an example trace generated by ssldump.

New TCP connection #3: localhost(3638) <-> localhost(4433)
3 1  0.0738 (0.0738)  C>S  Handshake      ClientHello
3 2  0.0743 (0.0004)  S>C  Handshake      ServerHello
3 3  0.0743 (0.0000)  S>C  Handshake      Certificate
3 4  0.0743 (0.0000)  S>C  Handshake      ServerHelloDone
3 5  0.0866 (0.0123)  C>S  Handshake      ClientKeyExchange
3 6  0.0866 (0.0000)  C>S  ChangeCipherSpec
3 7  0.0866 (0.0000)  C>S  Handshake      Finished
3 8  0.0909 (0.0043)  S>C  ChangeCipherSpec
3 9  0.0909 (0.0000)  S>C  Handshake      Finished
3 10 1.8652 (1.7742)  C>S  application_data
3 11 2.7539 (0.8887)  C>S  application_data
3 12 5.1861 (2.4321)  C>S  Alert          warning          close_notify
3    5.1868 (0.0007)  C>S  TCP FIN
3    5.1893 (0.0024)  S>C  TCP FIN

This example uses the flags for minimal decoding. ssldump has flags to allow decoding of all messages, including printing the application protocol data.

PGP Signature.

Here is a PGP signature over the latest version of ssldump.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQA9f3tv3n8ERpUIz6cRArxkAJwOde/y39HRzo0aqcQhd1+t62cSwACdH5R9
NJxutYXV724xc4N0O7UT9Y4=
=SHz4
-----END PGP SIGNATURE-----

My key fingerprint is:

465E 8A2B 9258 E9CA CE65  1DC3 DE7F 0446 9508 CFA7

Shameless Plug

Extremely detailed coverage of SSL/TLS can be found in

SSL and TLS: Designing and Building Secure Systems
Eric Rescorla
Addison-Wesley, 2001
ISBN 0-201-61598-3

SSL and TLS makes extensive use of ssldump to demonstrate real-life SSL behavior. If you like ssldump and want to learn about SSL, you might consider buying my book.