====== Ubuntu - SSL - Dump SSL data in realtime ======

<code bash>
ssldump -a -A -H -i en0
</code>

returns:

<code>
New TCP connection #1: sharewiz.net(32866) <-> 192.168.1.2(8389)
1 1  0.0043 (0.0043)  C>S SSLv2 compatible client hello
1 2  0.0057 (0.0014)  S>C  Handshake  
      ServerHello
1 3  0.0057 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0057 (0.0000)  S>C  Handshake
      ServerHelloDone
1 5  0.0182 (0.0125)  C>S  Handshake
      ClientKeyExchange
1 6  0.0182 (0.0000)  C>S  ChangeCipherSpec
1 7  0.0182 (0.0000)  C>S  Handshake
1 8  0.0367 (0.0184)  S>C  ChangeCipherSpec
1 9  0.0367 (0.0000)  S>C  Handshake
1 10 3.2154 (3.1786)  C>S  application_data
1 11 3.2154 (0.0000)  C>S  application_data
1 12 3.4370 (0.2216)  C>S  application_data
1 13 3.4370 (0.0000)  C>S  application_data
1 14 3.4681 (0.0311)  S>C  application_data
1 15 3.4681 (0.0000)  S>C  application_data
2    3.4307 (3.4307)  S>C  TCP FIN
1 16 3.5172 (0.0491)  S>C  Alert
1 17 3.5178 (0.0006)  C>S  Alert
1    3.5180 (0.0001)  C>S  TCP FIN
2    3.4815 (0.0508)  C>S  TCP FIN
1    3.5194 (0.0013)  S>C  TCP FIN
</code>

<WRAP info>
**NOTE:**  

  * **-A** and **-H** options tell ssldump to print all of the SSL record layer headers.
  * **-a**:  Include TCP connection states, such as SYN, SYN/ACK, ACK, FIN, etc.
  * **C>S**:  Communications originating from the client.
  * **S>C**:  Messages originating from the server

</WRAP>

----

===== Pass a Private Key to ssldump =====

To decrypt communications and dump application data, ssldump will need a copy of the private key from the server you wish to debug.

ssldump will use this key to derive the session key that is negotiated between the client and the server, and used to encrypt all network communications.

<code bash>
ssldump -a -A -H -k rsa.key -i en0
</code>

returns:

<code>
# connection setup removed...

3.6155 (3.6155)  C>S
---------------------------------------------------------------
GET / HTTP/1.0
---------------------------------------------------------------

2 12 3.8862 (0.2310)  C>SV3.1(32)  application_data
2 13 3.8862 (0.0000)  C>SV3.1(32)  application_data
3.8466 (0.2311)  C>S
---------------------------------------------------------------

---------------------------------------------------------------

3.8777 (0.0310)  S>C
---------------------------------------------------------------
HTTP/1.1 403 Forbidden
Date: Mon, 12 Feb 2016 12:13:14 GMT
Server: Apache/2.0.50
Content-Length: 1
Connection: close
Content-Type: text/html; charset=iso-8859-1
</code>

<WRAP info>
**NOTE:**  ssldump displays the HTTP requests sent to the sharewiz.net web server.

  * ssldump supports Berkeley Packet Filter style filters, allowing you to grab and decode specific communications.

</WRAP>

----

Capture SSL communications destined for host peter on TCP port 443:

<code bash>
ssldump -a -A -H -k rsa.key -i en0 host peter and port 443
</code>