bcc-sslsniff man page
sslsniff — Print data passed to OpenSSL, GnuTLS or NSS. Uses Linux eBPF/bcc.
sslsniff [-h] [-p PID] [-c COMM] [-o] [-g] [-n] [-d]
sslsniff prints data sent to write/send and read/recv functions of OpenSSL, GnuTLS and NSS, allowing us to read plain text content before encryption (when writing) and after decryption (when reading).
This works reading the second parameter of both functions (*buf).
Since this uses BPF, only the root user can use this tool.
CONFIG_BPF and bcc.
- Print all calls to SSL write/send and read/recv system-wide:
Which function is being called (write/send or read/recv)
Time of the command, in seconds.
Process ID calling SSL.
Bytes written or read by SSL functions.
This is from bcc.
Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.
Unstable - in development.
Adrian Lopez and Mark Drayton