SSLDUMP - Examples

Return to Wiki Index

The basic syntax of the `ssldump` command is as follows:

ssldump [options] [host] [port]

Here:

• `host` specifies the target host.
• `port` specifies the target port (default is 443 for HTTPS).

• `-i <interface>`: Specifies the network interface to capture packets from (e.g., `eth0`, `wlan0`).
• `-A`: Print all available SSL/TLS protocol messages.
• `-d`: Enable the display of decoded packets.
• `-r <file>`: Read traffic from a file instead of live capture.
• `-v`: Increase verbosity, providing more details about the handshake and packet exchanges.

To capture and decode SSL traffic on the default HTTPS port (443) for a specific host, you can use the following command:

ssldump -i eth0 -A host example.com

This command captures packets on the `eth0` interface, decodes SSL traffic, and displays all available protocol messages exchanged between the client and server for the host `example.com`.

You can also read SSL/TLS traffic from a previously captured pcap file (e.g., using `tcpdump` or Wireshark) and analyze it using `ssldump`. The following command reads from the file `capture.pcap`:

ssldump -r capture.pcap -A

This command processes the capture file `capture.pcap` and displays the SSL/TLS protocol messages.

To filter the SSL/TLS traffic by a specific host and port, you can use the following command:

ssldump -i eth0 -A host example.com and port 443

This command captures SSL/TLS traffic between the host `example.com` and port `443`.

For detailed analysis of the SSL/TLS handshake, including the cipher suites used, certificates exchanged, and session establishment, you can use the `-d` option:

ssldump -i eth0 -d host example.com

This will display decoded SSL/TLS handshake messages and provide details such as certificate information, session keys, and cipher suites negotiated during the handshake.

To increase the verbosity and show more detailed protocol information, use the `-v` option:

ssldump -i eth0 -v host example.com

This command provides a more verbose output of SSL/TLS packets, including details on handshakes, alerts, and encrypted payloads.

To filter SSL/TLS sessions by a specific server certificate, you can use the `-c` option, which filters traffic by the certificate's Common Name (CN):

ssldump -i eth0 -A -c "example.com"

This command captures and decrypts SSL/TLS traffic involving a server whose certificate has the CN `example.com`.

To save the output of the `ssldump` command to a file, you can redirect the output using `>`:

ssldump -i eth0 -A host example.com > output.txt

This command will capture SSL/TLS traffic for `example.com` and save the decoded messages to the file `output.txt`.

You can also filter SSL/TLS sessions by specifying the SSL/TLS version you are interested in. To focus on a specific version (e.g., TLSv1.2), use the `-v` flag along with the desired version:

ssldump -i eth0 -A -v TLSv1.2 host example.com

This command will capture SSL/TLS traffic only for sessions using TLSv1.2.

To specifically display SSL/TLS alert messages, use the `-a` option to focus on alerts:

ssldump -i eth0 -A -a host example.com

This command filters out everything except SSL/TLS alert messages, providing detailed insights into any alerts or errors during the SSL/TLS session.

• SSldump relies on raw packet capture to decrypt and interpret SSL/TLS traffic. This means that you need to capture traffic at a point where the SSL/TLS handshake occurs.
• `ssldump` requires root or superuser privileges to capture packets on network interfaces (e.g., using `sudo`).
• While `ssldump` can decrypt SSL/TLS sessions, it cannot decrypt traffic that uses perfect forward secrecy (PFS) unless you have access to the private key or session keys.
• The tool supports several SSL/TLS versions, including SSLv2, SSLv3, and TLSv1.x, but its ability to decode these protocols depends on the version of `ssldump` and its compatibility with the protocols being used.

• If `ssldump` fails to capture or decode traffic, ensure that the correct network interface is specified using the `-i` option.
• Ensure that SSL/TLS handshakes are visible in the captured traffic; if the traffic is encrypted with Perfect Forward Secrecy (PFS), SSL/TLS session keys or certificates may be required for decryption.