ssldump - (de-facto repository gathering patches around the cyberspace)

View the Project on GitHub adulau/ssldump

ssldump - (de-facto repository gathering patches around the cyberspace)

Build CI CodeQL analysis

Release and tagging

What about the original ssldump?

This repository is composed of the original SSLDUMP 0.9b3 + a myriad of patches (from Debian and other distributions) + contributions via PR

ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic. It also includes a JSON output option, supports JA3 and IPv6.

How to do I run ssldump?

./ssldump -j -ANH -n -i any | jq will run ssldump on all interfaces and output the result in JSON format including ja3 hashes.

For more details, check the man page.

How can I lookup ja3 hashes?

This example will query service to display the known ja3 hashes from the TLS handshaked in the pcap.

ssldump -r yourcapture.pcap -j | jq -r 'select(.ja3_fp != null) | .ja3_fp' | parallel 'curl -s -X GET '{}' | jq .'

Why do you maintain this repository?

Because it’s a mess. The software maintenance process for old free (unmaintained) software like ssldump is a complete chaotic process. I do this to ease my pain and this could help other too (but this is just a collateral damage).

Where ssldump is used?

Where ssldump is available?

Build instructions

On Debian & Ubuntu:

apt install build-essential autoconf libssl-dev libpcap-dev libnet1-dev libjson-c-dev
./configure --prefix=/usr/local
(optional) make install

On Fedora, CentOS, RHEL & Rocky:

dnf install autoconf automake gcc make openssl-devel libpcap-devel libnet-devel json-c-devel
./configure --prefix=/usr/local
(optional) make install

Optional configuration features (aka ./configure options):

  --disable-optimization  disable compiler optimizations (change from -O2 to -O0)
  --enable-debug	  enable debug info (add "-g -DDEBUG" to CFLAGS)
  --enable-asan		  enable AddressSanitizer and other checks
	add "-fsanitize=address,undefined,leak -Wformat -Werror=format-security
		-Werror=array-bounds" to CFLAGS
	use libasan with GCC and embedded ASAN with Clang

Configuration examples:

- Use GCC with libasan, debug info and custom CFLAGS:
	./configure CC=/usr/bin/gcc --enable-asan --enable-debug CFLAGS="-Wall"

- Use Clang with ASAN and no optimizations (-O0)
	./configure CC=/usr/bin/clang --enable-asan --disable-optimization


The “save to pcap” (-w) option by @ryabkov, is heavily based on the work of @droe on .


The contributing policy is simple. If you have a patch to propose, make a pull-request via the interface. If the patch works for me, it’s merged.