ubuntu:ssl:dump_ssl_data_in_realtime
Ubuntu - SSL - Dump SSL data in realtime
ssldump -a -A -H -i en0
returns:
New TCP connection #1: sharewiz.net(32866) <-> 192.168.1.2(8389)
1 1 0.0043 (0.0043) C>S SSLv2 compatible client hello
1 2 0.0057 (0.0014) S>C Handshake
ServerHello
1 3 0.0057 (0.0000) S>C Handshake
Certificate
1 4 0.0057 (0.0000) S>C Handshake
ServerHelloDone
1 5 0.0182 (0.0125) C>S Handshake
ClientKeyExchange
1 6 0.0182 (0.0000) C>S ChangeCipherSpec
1 7 0.0182 (0.0000) C>S Handshake
1 8 0.0367 (0.0184) S>C ChangeCipherSpec
1 9 0.0367 (0.0000) S>C Handshake
1 10 3.2154 (3.1786) C>S application_data
1 11 3.2154 (0.0000) C>S application_data
1 12 3.4370 (0.2216) C>S application_data
1 13 3.4370 (0.0000) C>S application_data
1 14 3.4681 (0.0311) S>C application_data
1 15 3.4681 (0.0000) S>C application_data
2 3.4307 (3.4307) S>C TCP FIN
1 16 3.5172 (0.0491) S>C Alert
1 17 3.5178 (0.0006) C>S Alert
1 3.5180 (0.0001) C>S TCP FIN
2 3.4815 (0.0508) C>S TCP FIN
1 3.5194 (0.0013) S>C TCP FIN
NOTE:
- -A and -H options tell ssldump to print all of the SSL record layer headers.
- -a: Include TCP connection states, such as SYN, SYN/ACK, ACK, FIN, etc.
- C>S: Communications originating from the client.
- S>C: Messages originating from the server
Pass a Private Key to ssldump
To decrypt communications and dump application data, ssldump will need a copy of the private key from the server you wish to debug.
ssldump will use this key to derive the session key that is negotiated between the client and the server, and used to encrypt all network communications.
ssldump -a -A -H -k rsa.key -i en0
returns:
# connection setup removed... 3.6155 (3.6155) C>S --------------------------------------------------------------- GET / HTTP/1.0 --------------------------------------------------------------- 2 12 3.8862 (0.2310) C>SV3.1(32) application_data 2 13 3.8862 (0.0000) C>SV3.1(32) application_data 3.8466 (0.2311) C>S --------------------------------------------------------------- --------------------------------------------------------------- 3.8777 (0.0310) S>C --------------------------------------------------------------- HTTP/1.1 403 Forbidden Date: Mon, 12 Feb 2016 12:13:14 GMT Server: Apache/2.0.50 Content-Length: 1 Connection: close Content-Type: text/html; charset=iso-8859-1
NOTE: ssldump displays the HTTP requests sent to the sharewiz.net web server.
- ssldump supports Berkeley Packet Filter style filters, allowing you to grab and decode specific communications.
Capture SSL communications destined for host peter on TCP port 443:
ssldump -a -A -H -k rsa.key -i en0 host peter and port 443
ubuntu/ssl/dump_ssl_data_in_realtime.txt · Last modified: 2021/02/02 12:16 by peter