Ubuntu - SSL - Dump SSL data in realtime

ssldump -a -A -H -i en0

returns: 

New TCP connection #1: sharewiz.net(32866) <-> 192.168.1.2(8389)
1 1  0.0043 (0.0043)  C>S SSLv2 compatible client hello
1 2  0.0057 (0.0014)  S>C  Handshake  
      ServerHello
1 3  0.0057 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0057 (0.0000)  S>C  Handshake
      ServerHelloDone
1 5  0.0182 (0.0125)  C>S  Handshake
      ClientKeyExchange
1 6  0.0182 (0.0000)  C>S  ChangeCipherSpec
1 7  0.0182 (0.0000)  C>S  Handshake
1 8  0.0367 (0.0184)  S>C  ChangeCipherSpec
1 9  0.0367 (0.0000)  S>C  Handshake
1 10 3.2154 (3.1786)  C>S  application_data
1 11 3.2154 (0.0000)  C>S  application_data
1 12 3.4370 (0.2216)  C>S  application_data
1 13 3.4370 (0.0000)  C>S  application_data
1 14 3.4681 (0.0311)  S>C  application_data
1 15 3.4681 (0.0000)  S>C  application_data
2    3.4307 (3.4307)  S>C  TCP FIN
1 16 3.5172 (0.0491)  S>C  Alert
1 17 3.5178 (0.0006)  C>S  Alert
1    3.5180 (0.0001)  C>S  TCP FIN
2    3.4815 (0.0508)  C>S  TCP FIN
1    3.5194 (0.0013)  S>C  TCP FIN

NOTE:

  • -A and -H options tell ssldump to print all of the SSL record layer headers.
  • -a: Include TCP connection states, such as SYN, SYN/ACK, ACK, FIN, etc.
  • C>S: Communications originating from the client.
  • S>C: Messages originating from the server

Pass a Private Key to ssldump

To decrypt communications and dump application data, ssldump will need a copy of the private key from the server you wish to debug.

ssldump will use this key to derive the session key that is negotiated between the client and the server, and used to encrypt all network communications. 

ssldump -a -A -H -k rsa.key -i en0

returns: 

# connection setup removed...

3.6155 (3.6155)  C>S
---------------------------------------------------------------
GET / HTTP/1.0
---------------------------------------------------------------

2 12 3.8862 (0.2310)  C>SV3.1(32)  application_data
2 13 3.8862 (0.0000)  C>SV3.1(32)  application_data
3.8466 (0.2311)  C>S
---------------------------------------------------------------

---------------------------------------------------------------

3.8777 (0.0310)  S>C
---------------------------------------------------------------
HTTP/1.1 403 Forbidden
Date: Mon, 12 Feb 2016 12:13:14 GMT
Server: Apache/2.0.50
Content-Length: 1
Connection: close
Content-Type: text/html; charset=iso-8859-1

NOTE: ssldump displays the HTTP requests sent to the sharewiz.net web server.

  • ssldump supports Berkeley Packet Filter style filters, allowing you to grab and decode specific communications.

Capture SSL communications destined for host peter on TCP port 443: 

ssldump -a -A -H -k rsa.key -i en0 host peter and port 443