ssldump

ssldump - (de-facto repository gathering patches around the cyberspace)

View the Project on GitHub adulau/ssldump

ssldump - (de-facto repository gathering patches around the cyberspace)

Build CI CodeQL analysis OpenSSF Scorecard

Release and tagging

What about the original ssldump?

This repository is composed of the original SSLDUMP 0.9b3 + a myriad of patches (from Debian and other distributions) + contributions via PR

ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic. It also includes a JSON output option, supports JA3 and IPv6. It also emits passive FAN/1 fingerprints for TLS ClientHello/ServerHello messages and X.509 certificates in JSON output.

How to do I run ssldump?

./ssldump -j -ANH -n -i any | jq will run ssldump on all interfaces and output the result in JSON format including JA3 and FAN/1 fingerprints.

For more details, check the man page.

FAN/1 passive fingerprints

ssldump can emit FAN/1 fingerprints, a passive fingerprint format from the fanything project. The fingerprints are produced automatically in JSON output (-j) when the corresponding handshake data is present; no extra command-line option is required.

For TLS handshakes, ClientHello and ServerHello JSON objects include:

For certificate messages, each certificate object in cert_chain can include:

A quick way to inspect these values from a capture is:

./ssldump -r yourcapture.pcap -j | jq 'select(.fan1_tls_fp != null or .cert_chain != null) | {handshake_type, fan1_tls_features, fan1_tls_fp, cert_chain}'

The TLS FAN/1 feature string is derived from the same decoded ClientHello/ServerHello data used for JA3/JA3S, while filtering GREASE values. Certificate FAN/1 feature strings are derived from X.509 metadata such as version, serial length, signature algorithms, issuer, subject, validity duration, public-key algorithm and size, and extension OIDs.

How can I lookup ja3 hashes?

This example will query ja3er.com service to display the known ja3 hashes from the TLS handshaked in the pcap.

./ssldump -r yourcapture.pcap -j | jq -r 'select(.ja3_fp != null) | .ja3_fp' | parallel 'curl -s -X GET 'https://ja3er.com/search/{}' | jq .'

Why do you maintain this repository?

Because it’s a mess. The software maintenance process for old free (unmaintained) software like ssldump is a complete chaotic process. I do this to ease my pain and this could help other too (but this is just a collateral damage).

Where ssldump is used?

Where ssldump is available?

Build instructions

Install dependencies on Debian & Ubuntu (as root):

apt install build-essential git cmake ninja-build libssl-dev libpcap-dev libnet1-dev libjson-c-dev

On Fedora, CentOS, RHEL & Rocky (as root):

dnf install git cmake ninja-build gcc openssl-devel libpcap-devel libnet-devel json-c-devel

On OpenBSD (as root):

pkg_add git cmake ninja json-c libnet

On FreeBSD (as root):

pkg install git cmake ninja json-c libnet

On MacOS (as root):

brew install cmake ninja openssl@3 libpcap libnet json-c

Compile & install:

git clone https://github.com/adulau/ssldump.git
cd ssldump
cmake -G Ninja -B build
ninja -C build
./build/ssldump -v
(optional, as root) ninja -C build install

Notes

The “save to pcap” (-w) option by @ryabkov, is heavily based on the work of @droe on https://github.com/droe/sslsplit .

Contributing

The contributing policy is simple. If you have a patch to propose, make a pull-request via the interface. If the patch works for me, it’s merged.