forked from iovisor/bcc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sslsniff_example.txt
213 lines (163 loc) · 6.74 KB
/
sslsniff_example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
Demonstrations of sslsniff.py
This tool traces the write/send and read/recv functions of OpenSSL,
GnuTLS and NSS. Data passed to this functions is printed as plain
text. Useful, for example, to sniff HTTP before encrypted with SSL.
Output of tool executing in other shell "curl https://example.com"
% sudo python sslsniff.py
FUNC TIME(s) COMM PID LEN
WRITE/SEND 0.000000000 curl 12915 75
----- DATA -----
GET / HTTP/1.1
Host: example.com
User-Agent: curl/7.50.1
Accept: */*
----- END DATA -----
READ/RECV 0.127144585 curl 12915 333
----- DATA -----
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/html
Date: Tue, 16 Aug 2016 15:42:12 GMT
Etag: "359670651+gzip+ident"
Expires: Tue, 23 Aug 2016 15:42:12 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (iad/18CB)
Vary: Accept-Encoding
X-Cache: HIT
x-ec-custom-error: 1
Content-Length: 1270
----- END DATA -----
READ/RECV 0.129967972 curl 12915 1270
----- DATA -----
<!doctype html>
<html>
<head>
<title>Example Domain</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<style type="text/css">
body {
background-color: #f0f0f2;
margin: 0;
padding: 0;
font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
}
div {
w
----- END DATA (TRUNCATED, 798 bytes lost) -----
Using the --hexdump option you will get the exact same output, only the lines
between DATA and END DATA will differ. Those will be replaced with a 16 byte
(32 characters) wide hex-dump, an example of a block of output from sslsniff
called with that option is
READ/RECV 7.405609173 curl 201942 1256
----- DATA -----
3c21646f63747970652068746d6c3e0a
3c68746d6c3e0a3c686561643e0a2020
20203c7469746c653e4578616d706c65
20446f6d61696e3c2f7469746c653e0a
0a202020203c6d657461206368617273
65743d227574662d3822202f3e0a2020
20203c6d65746120687474702d657175
69763d22436f6e74656e742d74797065
2220636f6e74656e743d22746578742f
68746d6c3b20636861727365743d7574
662d3822202f3e0a202020203c6d6574
61206e616d653d2276696577706f7274
2220636f6e74656e743d227769647468
3d6465766963652d77696474682c2069
6e697469616c2d7363616c653d312220
2f3e0a202020203c7374796c65207479
70653d22746578742f637373223e0a20
202020626f6479207b0a202020202020
20206261636b67726f756e642d636f6c
6f723a20236630663066323b0a202020
20202020206d617267696e3a20303b0a
202020202020202070616464696e673a
20303b0a2020202020202020666f6e74
2d66616d696c793a202d6170706c652d
73797374656d2c2073797374656d2d75
692c20426c696e6b4d61635379737465
6d466f6e742c20225365676f65205549
222c20224f70656e2053616e73222c20
2248656c766574696361204e65756522
----- END DATA (TRUNCATED, 792 bytes lost) -----
This is useful to sniff binary protocols where the UTF-8 decode might insert a
lot of characters that are not printable or even Unicode replacement
characters.
Use -l or --latency option to show function latency, and show handshake latency
by using both -l and --handshake. This is useful for SSL/TLS performance
analysis. Tracing output of "echo | openssl s_client -connect example.com:443":
# ./sslsniff.py -l --handshake
FUNC TIME(s) COMM PID LEN LAT(ms)
WRITE/SEND 0.000000000 openssl 10377 1 0.005
----- DATA -----
----- END DATA -----
Trace localhost server instead of example.com. It takes 0.7ms for server
handshake before secure connection is ready for initial SSL_read or SSL_write.
# ./sslsniff.py -l --handshake
FUNC TIME(s) COMM PID LEN LAT(ms)
HANDSHAKE 0.000000000 nginx 7081 1 0.699
WRITE/SEND 0.000132180 openssl 14800 1 0.010
----- DATA -----
----- END DATA -----
READ/RECV 0.000136583 nginx 7081 1 0.004
----- DATA -----
----- END DATA -----
Tracing output of "echo | gnutls-cli -p 443 example.com":
# ./sslsniff.py -l --handshake
FUNC TIME(s) COMM PID LEN LAT(ms)
WRITE/SEND 0.000000000 gnutls-cli 43554 1 0.012
----- DATA -----
----- END DATA -----
Tracing output of "echo | gnutls-cli -p 443 --insecure localhost":
# ./sslsniff.py -l --handshake
FUNC TIME(s) COMM PID LEN LAT(ms)
HANDSHAKE 0.000000000 nginx 7081 1 0.710
WRITE/SEND 0.000045126 gnutls-cli 43752 1 0.014
----- DATA -----
----- END DATA -----
READ/RECV 0.000049464 nginx 7081 1 0.004
----- DATA -----
----- END DATA -----
Tracing few extra libraries (useful for docker containers and other isolated
apps)
# ./sslsniff.py --extra-lib openssl:/var/lib/docker/overlay2/l/S4EMHE/lib/libssl.so.1.1
USAGE message:
usage: sslsniff.py [-h] [-p PID] [-u UID] [-x] [-c COMM] [-o] [-g] [-n] [-d]
[--hexdump] [--max-buffer-size MAX_BUFFER_SIZE] [-l]
[--handshake] [--extra-lib EXTRA_LIB]
Sniff SSL data
optional arguments:
-h, --help show this help message and exit
-p PID, --pid PID sniff this PID only.
-u UID, --uid UID sniff this UID only.
-x, --extra show extra fields (UID, TID)
-c COMM, --comm COMM sniff only commands matching string.
-o, --no-openssl do not show OpenSSL calls.
-g, --no-gnutls do not show GnuTLS calls.
-n, --no-nss do not show NSS calls.
-d, --debug debug mode.
--hexdump show data as hexdump instead of trying to decode it as
UTF-8
--max-buffer-size MAX_BUFFER_SIZE
Size of captured buffer
-l, --latency show function latency
--handshake show SSL handshake latency, enabled only if latency
option is on.
--extra-lib EXTRA_LIB
Intercept calls from extra library
(format: lib_type:lib_path)
examples:
./sslsniff # sniff OpenSSL and GnuTLS functions
./sslsniff -p 181 # sniff PID 181 only
./sslsniff -u 1000 # sniff only UID 1000
./sslsniff -c curl # sniff curl command only
./sslsniff --no-openssl # don't show OpenSSL calls
./sslsniff --no-gnutls # don't show GnuTLS calls
./sslsniff --no-nss # don't show NSS calls
./sslsniff --hexdump # show data as hex instead of trying to decode it as UTF-8
./sslsniff -x # show process UID and TID
./sslsniff -l # show function latency
./sslsniff -l --handshake # show SSL handshake latency
./sslsniff --extra-lib openssl:/path/libssl.so.1.1 # sniff extra library