tools/sslsniff_example.txt - platform/external/bcc - Git at Google

 Demonstrations of sslsniff.py


 This tool traces the OpenSSL functions SSL_READ and SSL_WRITE.
 Data passed to this functions is printed as plain text.
 Useful, for example, to sniff HTTP before encrypted with SSL.


 Output of tool executing in other shell "curl https://example.com"

 % sudo python sslsniff.py
 FUNC         TIME(s)            COMM             PID    LEN
 SSL_WRITE    0.000000000        curl             12915  75
 ----- DATA -----
 GET / HTTP/1.1
 Host: example.com
 User-Agent: curl/7.50.1
 Accept: */*


 ----- END DATA -----

 SSL_READ     0.127144585        curl             12915  333
 ----- DATA -----
 HTTP/1.1 200 OK
 Cache-Control: max-age=604800
 Content-Type: text/html
 Date: Tue, 16 Aug 2016 15:42:12 GMT
 Etag: "359670651+gzip+ident"
 Expires: Tue, 23 Aug 2016 15:42:12 GMT
 Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
 Server: ECS (iad/18CB)
 Vary: Accept-Encoding
 X-Cache: HIT
 x-ec-custom-error: 1
 Content-Length: 1270


 ----- END DATA -----

 SSL_READ     0.129967972        curl             12915  1270
 ----- DATA -----
 <!doctype html>
 <html>
 <head>
     <title>Example Domain</title>

     <meta charset="utf-8" />
     <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <style type="text/css">
     body {
         background-color: #f0f0f2;
         margin: 0;
         padding: 0;
         font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

     }
     div {
         w
 ----- END DATA (TRUNCATED, 798 bytes lost) -----


 USAGE message:

 usage: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-d]

 Sniff SSL data

 optional arguments:
   -h, --help            show this help message and exit
   -p PID, --pid PID     sniff this PID only.
   -c COMM, --comm COMM  sniff only commands matching string.
   -o, --no-openssl      do not show OpenSSL calls.
   -g, --no-gnutls       do not show GnuTLS calls.
   -d, --debug           debug mode.

 examples:
     ./sslsniff              # sniff OpenSSL and GnuTLS functions
     ./sslsniff -p 181       # sniff PID 181 only
     ./sslsniff -c curl      # sniff curl command only
     ./sslsniff --no-openssl # don't show OpenSSL calls
     ./sslsniff --no-gnutls  # don't show GnuTLS calls
	Demonstrations of sslsniff.py


	This tool traces the OpenSSL functions SSL_READ and SSL_WRITE.
	Data passed to this functions is printed as plain text.
	Useful, for example, to sniff HTTP before encrypted with SSL.


	Output of tool executing in other shell "curl https://example.com"

	% sudo python sslsniff.py
	FUNC TIME(s) COMM PID LEN
	SSL_WRITE 0.000000000 curl 12915 75
	----- DATA -----
	GET / HTTP/1.1
	Host: example.com
	User-Agent: curl/7.50.1
	Accept: /


	----- END DATA -----

	SSL_READ 0.127144585 curl 12915 333
	----- DATA -----
	HTTP/1.1 200 OK
	Cache-Control: max-age=604800
	Content-Type: text/html
	Date: Tue, 16 Aug 2016 15:42:12 GMT
	Etag: "359670651+gzip+ident"
	Expires: Tue, 23 Aug 2016 15:42:12 GMT
	Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
	Server: ECS (iad/18CB)
	Vary: Accept-Encoding
	X-Cache: HIT
	x-ec-custom-error: 1
	Content-Length: 1270


	----- END DATA -----

	SSL_READ 0.129967972 curl 12915 1270
	----- DATA -----
	<!doctype html>
	<html>
	<head>
	<title>Example Domain</title>

	<meta charset="utf-8" />
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<meta name="viewport" content="width=device-width, initial-scale=1" />
	<style type="text/css">
	body {
	background-color: #f0f0f2;
	margin: 0;
	padding: 0;
	font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

	}
	div {
	w
	----- END DATA (TRUNCATED, 798 bytes lost) -----




	USAGE message:

	usage: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-d]

	Sniff SSL data

	optional arguments:
	-h, --help show this help message and exit
	-p PID, --pid PID sniff this PID only.
	-c COMM, --comm COMM sniff only commands matching string.
	-o, --no-openssl do not show OpenSSL calls.
	-g, --no-gnutls do not show GnuTLS calls.
	-d, --debug debug mode.

	examples:
	./sslsniff # sniff OpenSSL and GnuTLS functions
	./sslsniff -p 181 # sniff PID 181 only
	./sslsniff -c curl # sniff curl command only
	./sslsniff --no-openssl # don't show OpenSSL calls
	./sslsniff --no-gnutls # don't show GnuTLS calls