Demonstrations of sslsniff.py


This tool traces the OpenSSL functions SSL_READ and SSL_WRITE.
Data passed to this functions is printed as plain text.
Useful, for example, to sniff HTTP before encrypted with SSL.


Output of tool executing in other shell "curl https://example.com"

% sudo python sslsniff.py
FUNC         TIME(s)            COMM             PID    LEN   
SSL_WRITE    0.000000000        curl             12915  75    
----- DATA -----
GET / HTTP/1.1
Host: example.com
User-Agent: curl/7.50.1
Accept: */*


----- END DATA -----

SSL_READ     0.127144585        curl             12915  333   
----- DATA -----
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/html
Date: Tue, 16 Aug 2016 15:42:12 GMT
Etag: "359670651+gzip+ident"
Expires: Tue, 23 Aug 2016 15:42:12 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (iad/18CB)
Vary: Accept-Encoding
X-Cache: HIT
x-ec-custom-error: 1
Content-Length: 1270


----- END DATA -----

SSL_READ     0.129967972        curl             12915  1270  
----- DATA -----
<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
        
    }
    div {
        w
----- END DATA (TRUNCATED, 798 bytes lost) -----




USAGE message:

usage: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-d]

Sniff SSL data

optional arguments:
  -h, --help            show this help message and exit
  -p PID, --pid PID     sniff this PID only.
  -c COMM, --comm COMM  sniff only commands matching string.
  -o, --no-openssl      do not show OpenSSL calls.
  -g, --no-gnutls       do not show GnuTLS calls.
  -d, --debug           debug mode.

examples:
    ./sslsniff              # sniff OpenSSL and GnuTLS functions
    ./sslsniff -p 181       # sniff PID 181 only
    ./sslsniff -c curl      # sniff curl command only
    ./sslsniff --no-openssl # don't show OpenSSL calls
    ./sslsniff --no-gnutls  # don't show GnuTLS calls