DOKK / manpages / debian 12 / bpftrace / sslsnoop.bt.bt.8.en
sslsnoop.bt(8) System Manager's Manual sslsnoop.bt(8)

sslsnoop.bt - Show SSL/TLS handshake events. Uses bpftrace/eBPF.

sslsnoop.bt

sslsnoop traces OpenSSL handshake functions, and shows latency and return value. This can be used to analyze SSL/TLS performance.

This tool works by dynamic tracing the uprobes in OpenSSL and related crypto libs, and may need updating to match future changes to these functions.

Since this uses BPF, only the root user can use this tool.

CONFIG_BPF and bpftrace.

# sslsnoop.bt

Time of the call completion, in microseconds since program start.
Thread ID.
Process name.
Latency of the call, in microseconds.
Return value of the call.
Function name.

SSL/TLS handshake usually contains network latency and the traced crypto functions are CPU intensive tasks, so call frequency should be low and the overhead of this tool is expected to be negligible.

This is from bpftrace.

https://github.com/iovisor/bpftrace

Also look in the bpftrace distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

There is a bcc tool sslsniff that can show SSL/TLS handshake event latency before sniffing the plaintext in SSL_read/write. This tool provides more detailed crypto latency distribution during the handshake event.

https://github.com/iovisor/bcc

Linux

Unstable - in development.

Tao Xu

biosnoop.bt(8)

2021-12-28 USER COMMANDS