1sslsniff(8)                 System Manager's Manual                sslsniff(8)
2
3
4

NAME

6       sslsniff  -  Print  data  passed  to OpenSSL, GnuTLS or NSS. Uses Linux
7       eBPF/bcc.
8

SYNOPSIS

10       sslsniff [-h] [-p PID] [-u UID] [-x] [-c  COMM]  [-o]  [-g]  [-n]  [-d]
11       [--hexdump] [--max-buffer-size SIZE]
12

DESCRIPTION

14       sslsniff  prints  data  sent  to  write/send and read/recv functions of
15       OpenSSL, GnuTLS and NSS, allowing us to read plain text content  before
16       encryption (when writing) and after decryption (when reading).
17
18       This works reading the second parameter of both functions (*buf).
19
20       Since this uses BPF, only the root user can use this tool.
21

REQUIREMENTS

23       CONFIG_BPF and bcc.
24

OPTIONS

26       -h     Print usage message.
27
28       -p PID Trace only functions in this process PID.
29
30       -u UID Trace only calls made by this UID.
31
32       -x     Show extra fields: UID and TID.
33
34       -c COMM
35              Show only processes that match this COMM exactly.
36
37       -o, --no-openssl
38              Do not trace OpenSSL functions.
39
40       -g, --no-gnutls
41              Do not trace GnuTLS functions.
42
43       -n, --no-nss
44              Do not trace GnuTLS functions.
45
46       --hexdump
47              Show data as hexdump instead of trying to decode it as UTF-8
48
49       --max-buffer-size SIZE
50              Sets  maximum  buffer  size  of  intercepted data. Longer values
51              would be truncated.  Default value is 8  Kib,  maximum  possible
52              value is a bit less than 32 Kib.
53

EXAMPLES

55       Print all calls to SSL write/send and read/recv system-wide:
56              # sslsniff
57
58       Print only OpenSSL calls issued by user with UID 1000
59              # sslsniff -u 1000 --no-nss --no-gnutls
60

FIELDS

62       FUNC   Which function is being called (write/send or read/recv)
63
64       TIME   Time of the command, in seconds.
65
66       COMM   Entered command.
67
68       PID    Process ID calling SSL.
69
70       LEN    Bytes written or read by SSL functions.
71
72       UID    UID of the process, displayed only if launched with -x.
73
74       TID    Thread ID, displayed only if launched with -x.
75

SOURCE

77       This is from bcc.
78
79              https://github.com/iovisor/bcc
80
81       Also  look  in  the bcc distribution for a companion _examples.txt file
82       containing example usage, output, and commentary for this tool.
83

OS

85       Linux
86

STABILITY

88       Unstable - in development.
89

AUTHORS

91       Adrian Lopez and Mark Drayton
92

SEE ALSO

94       trace(8)
95
96
97
98USER COMMANDS                     2016-08-16                       sslsniff(8)
Impressum