1sslsniff(8)                 System Manager's Manual                sslsniff(8)
2
3
4

NAME

6       sslsniff  -  Print  data  passed  to OpenSSL, GnuTLS or NSS. Uses Linux
7       eBPF/bcc.
8

SYNOPSIS

10       sslsniff [-h] [-p PID] [-u UID] [-x] [-c  COMM]  [-o]  [-g]  [-n]  [-d]
11       [--hexdump]  [--max-buffer-size  SIZE]  [-l] [--handshake] [--extra-lib
12       EXTRA_LIB]
13

DESCRIPTION

15       sslsniff prints data sent to  write/send  and  read/recv  functions  of
16       OpenSSL,  GnuTLS and NSS, allowing us to read plain text content before
17       encryption (when writing) and after decryption (when reading).
18
19       This works reading the second parameter of both functions (*buf).
20
21       Since this uses BPF, only the root user can use this tool.
22

REQUIREMENTS

24       CONFIG_BPF and bcc.
25

OPTIONS

27       -h     Print usage message.
28
29       -p PID Trace only functions in this process PID.
30
31       -u UID Trace only calls made by this UID.
32
33       -x     Show extra fields: UID and TID.
34
35       -c COMM
36              Show only processes that match this COMM exactly.
37
38       -o, --no-openssl
39              Do not trace OpenSSL functions.
40
41       -g, --no-gnutls
42              Do not trace GnuTLS functions.
43
44       -n, --no-nss
45              Do not trace GnuTLS functions.
46
47       --hexdump
48              Show data as hexdump instead of trying to decode it as UTF-8
49
50       --max-buffer-size SIZE
51              Sets maximum buffer size  of  intercepted  data.  Longer  values
52              would  be  truncated.   Default value is 8 Kib, maximum possible
53              value is a bit less than 32 Kib.
54
55       -l, --latency
56              Show function latency in ms.
57
58       --handshake
59              Show handshake latency, enabled only if latency option is on.
60
61       --extra-lib EXTRA_LIB
62              Consist type of the library and library path separated by colon.
63              Supported library types are: openssl, gnutls, nss. Can be speciā€
64              fied multiple times.
65

EXAMPLES

67       Print all calls to SSL write/send and read/recv system-wide:
68              # sslsniff
69
70       Print only OpenSSL calls issued by user with UID 1000
71              # sslsniff -u 1000 --no-nss --no-gnutls
72
73       Print SSL handshake event and latency for all traced functions:
74              # sslsniff -l --handshake
75
76       Print only calls to OpenSSL from /some/path/libssl.so
77              sslsniff   --no-openssl   --no-gnutls    --no-nss    --extra-lib
78              openssl:/some/path/libssl.so
79

FIELDS

81       FUNC   Which function is being called (write/send or read/recv)
82
83       TIME   Time of the command, in seconds.
84
85       COMM   Entered command.
86
87       PID    Process ID calling SSL.
88
89       LEN    Bytes written or read by SSL functions.
90
91       UID    UID of the process, displayed only if launched with -x.
92
93       TID    Thread ID, displayed only if launched with -x.
94
95       LAT(ms)
96              Function latency in ms.
97

SOURCE

99       This is from bcc.
100
101              https://github.com/iovisor/bcc
102
103       Also  look  in  the bcc distribution for a companion _examples.txt file
104       containing example usage, output, and commentary for this tool.
105

OS

107       Linux
108

STABILITY

110       Unstable - in development.
111

AUTHORS

113       Adrian Lopez and Mark Drayton
114

SEE ALSO

116       trace(8)
117
118
119
120USER COMMANDS                     2016-08-16                       sslsniff(8)
Impressum