bcc-sslsniff man page

sslsniff ā€” Print data passed to OpenSSL, GnuTLS or NSS. Uses Linux eBPF/bcc.

Synopsis

sslsniff [-h] [-p PID] [-c COMM] [-o] [-g] [-n] [-d]

Description

sslsniff prints data sent to write/send and read/recv functions of OpenSSL, GnuTLS and NSS, allowing us to read plain text content before encryption (when writing) and after decryption (when reading).

This works reading the second parameter of both functions (*buf).

Since this uses BPF, only the root user can use this tool.

Requirements

CONFIG_BPF and bcc.

Examples

Print all calls to SSL write/send and read/recv system-wide:

# sslsniff

Fields

FUNC

Which function is being called (write/send or read/recv)

TIME

Time of the command, in seconds.

COMM

Entered command.

PID

Process ID calling SSL.

LEN

Bytes written or read by SSL functions.

Source

This is from bcc.

https://github.com/iovisor/bcc

Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

OS

Linux

Stability

Unstable - in development.

Authors

Adrian Lopez and Mark Drayton

See Also

trace(8)

Info

2016-08-16 USER COMMANDS