DOKK / manpages / debian 12 / bpfcc-tools / sslsniff-bpfcc.8.en
sslsniff(8) System Manager's Manual sslsniff(8)

sslsniff - Print data passed to OpenSSL, GnuTLS or NSS. Uses Linux eBPF/bcc.

sslsniff [-h] [-p PID] [-u UID] [-x] [-c COMM] [-o] [-g] [-n] [-d] [--hexdump] [--max-buffer-size SIZE] [-l] [--handshake] [--extra-lib EXTRA_LIB]

sslsniff prints data sent to write/send and read/recv functions of OpenSSL, GnuTLS and NSS, allowing us to read plain text content before encryption (when writing) and after decryption (when reading).

This works reading the second parameter of both functions (*buf).

Since this uses BPF, only the root user can use this tool.

CONFIG_BPF and bcc.

Print usage message.
Trace only functions in this process PID.
Trace only calls made by this UID.
Show extra fields: UID and TID.
Show only processes that match this COMM exactly.
Do not trace OpenSSL functions.
Do not trace GnuTLS functions.
Do not trace GnuTLS functions.
Show data as hexdump instead of trying to decode it as UTF-8
Sets maximum buffer size of intercepted data. Longer values would be truncated. Default value is 8 Kib, maximum possible value is a bit less than 32 Kib.
Show function latency in ms.
Show handshake latency, enabled only if latency option is on.
Consist type of the library and library path separated by colon. Supported library types are: openssl, gnutls, nss. Can be specified multiple times.

# sslsniff
# sslsniff -u 1000 --no-nss --no-gnutls
# sslsniff -l --handshake
sslsniff --no-openssl --no-gnutls --no-nss --extra-lib openssl:/some/path/libssl.so

Which function is being called (write/send or read/recv)
Time of the command, in seconds.
Entered command.
Process ID calling SSL.
Bytes written or read by SSL functions.
UID of the process, displayed only if launched with -x.
Thread ID, displayed only if launched with -x.
Function latency in ms.

This is from bcc.

https://github.com/iovisor/bcc

Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

Linux

Unstable - in development.

Adrian Lopez and Mark Drayton

trace(8)

2016-08-16 USER COMMANDS