sslsniff - Print data passed to OpenSSL. Uses Linux eBPF/bcc.
sslsniff prints data sent to SSL_write and SSL_read OpenSSL functions, allowing
us to read plain text content before encryption (when writing) and after
decryption (when reading).
This works reading the second parameter of both functions (*buf).
Since this uses BPF, only the root user can use this tool.
CONFIG_BPF and bcc.
- Print all calls to SSL_write and SSL_read system-wide:
- # sslsniff
- Which function is being called (SSL_write or SSL_read)
- Time of the command, in seconds.
- Entered command.
- Process ID calling OpenSSL.
- Bytes written or read by OpenSSL functions.
This is from bcc.
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
Unstable - in development.
Adrian Lopez and Mark Drayton