diff -Nur ssldump-0.9b3.org/base/pcap-snoop.c ssldump-0.9b3/base/pcap-snoop.c --- ssldump-0.9b3.org/base/pcap-snoop.c 2002-09-09 21:02:58.000000000 +0000 +++ ssldump-0.9b3/base/pcap-snoop.c 2006-05-07 15:28:09.598568500 +0000 @@ -206,7 +206,7 @@ signal(SIGINT,sig_handler); - while((c=getopt(argc,argv,"vr:f:S:Ttai:k:p:nsAxXhHVNdqem:P"))!=EOF){ + while((c=getopt(argc,argv,"vr:f:S:yTtai:k:p:nsAxXhHVNdqem:P"))!=EOF){ switch(c){ case 'v': print_version(); @@ -260,7 +260,7 @@ break; case 'h': usage(); - printf("Do 'man ssldump' for documentation\n"); + printf("Do 'man 1 ssldump' for documentation\n"); exit(1); case '?': diff -Nur ssldump-0.9b3.org/ssl/ssl_analyze.c ssldump-0.9b3/ssl/ssl_analyze.c --- ssldump-0.9b3.org/ssl/ssl_analyze.c 2002-01-21 18:46:13.000000000 +0000 +++ ssldump-0.9b3/ssl/ssl_analyze.c 2006-05-07 15:28:09.594568250 +0000 @@ -133,7 +133,7 @@ SSL_PRINT_DECODE }, { - 0, + 'y', "nroff", SSL_PRINT_NROFF }, diff -Nur ssldump-0.9b3.org/ssl/ssldecode.c ssldump-0.9b3/ssl/ssldecode.c --- ssldump-0.9b3.org/ssl/ssldecode.c 2002-08-17 01:33:17.000000000 +0000 +++ ssldump-0.9b3/ssl/ssldecode.c 2006-05-07 15:28:09.598568500 +0000 @@ -51,6 +51,7 @@ #include <openssl/ssl.h> #include <openssl/hmac.h> #include <openssl/evp.h> +#include <openssl/md5.h> #include <openssl/x509v3.h> #endif #include "ssldecode.h" @@ -131,7 +132,8 @@ ssl_decode_ctx *d=0; int r,_status; - SSLeay_add_all_algorithms(); + SSL_library_init(); + OpenSSL_add_all_algorithms(); if(!(d=(ssl_decode_ctx *)malloc(sizeof(ssl_decode_ctx)))) ABORT(R_NO_MEMORY); if(!(d->ssl_ctx=SSL_CTX_new(SSLv23_server_method()))) diff -Nur ssldump-0.9b3.org/ssldump.1 ssldump-0.9b3/ssldump.1 --- ssldump-0.9b3.org/ssldump.1 2002-08-12 23:46:53.000000000 +0000 +++ ssldump-0.9b3/ssldump.1 2006-05-07 15:28:09.598568500 +0000 @@ -61,12 +61,9 @@ .na .B ssldump [ -.B \-vtaTnsAxXhHVNdq +.B \-vTshVq +.B \-aAdeHnNqTxXvy ] [ -.B \-r -.I dumpfile -] -[ .B \-i .I interface ] @@ -81,6 +78,16 @@ .I password ] [ +.B \-r +.I dumpfile +] +.br +.ti +8 +[ +.B \-S +.RI [\| crypto \||\| d \||\| ht \||\| H \||\| nroff \|] +] +[ .I expression ] .br @@ -125,6 +132,7 @@ You must have read access to .IR /dev/bpf* . .SH OPTIONS +.TP .B \-a Print bare TCP ACKs (useful for observing Nagle behavior) .TP @@ -135,7 +143,7 @@ .B \-d Display the application data traffic. This usually means decrypting it, but when -d is used ssldump will also decode -application data traffic _before_ the SSL session initiates. +application data traffic \fIbefore\fP the SSL session initiates. This allows you to see HTTPS CONNECT behavior as well as SMTP STARTTLS. As a side effect, since ssldump can't tell whether plaintext is traffic before the initiation of an @@ -148,18 +156,9 @@ .B \-e Print absolute timestamps instead of relative timestamps .TP -.B \-r -Read data from \fIfile\fP instead of from the network. -The old -f option still works but is deprecated and will -probably be removed with the next version. .B \-H Print the full SSL packet header. .TP -.B \-k -Use \fIkeyfile\fP as the location of the SSL keyfile (OpenSSL format) -Previous versions of ssldump automatically looked in ./server.pem. -Now you must specify your keyfile every time. -.TP .B \-n Don't try to resolve host names from IP addresses .TP @@ -176,6 +175,12 @@ .B \-q Don't decode any record fields beyond a single summary line. (quiet mode). .TP +.B \-T +Print the TCP headers. +.TP +.B \-v +Display version and copyright information. +.TP .B \-x Print each record in hex, as well as decoding it. .TP @@ -183,13 +188,48 @@ When the -d option is used, binary data is automatically printed in two columns with a hex dump on the left and the printable characters on the right. -X suppresses the display of the printable characters, -thus making it easier to cut and paste the hext data into some other +thus making it easier to cut and paste the hex data into some other program. +.TP .B \-y -Decorate the output for processing with troff. Not very +Decorate the output for processing with nroff/troff. Not very useful for the average user. .TP -.IP "\fI expression\fP" +.BI \-i " interface" +Use \fIinterface\fP as the network interface on which to sniff SSL/TLS +traffic. +.TP +.BI \-k " keyfile" +Use \fIkeyfile\fP as the location of the SSL keyfile (OpenSSL format) +Previous versions of ssldump automatically looked in ./server.pem. +Now you must specify your keyfile every time. +.TP +.BI \-p " password" +Use \fIpassword\fP as the SSL keyfile password. +.TP +.BI \-r " file" +Read data from \fIfile\fP instead of from the network. +The old -f option still works but is deprecated and will +probably be removed with the next version. +.TP +.BI \-S " [ " crypto " | " d " | " ht " | " H " ]" +Specify SSL flags to ssldump. These flags include: +.RS +.TP +.I crypto +Print cryptographic information. +.TP +.I d +Print fields as decoded. +.TP +.I ht +Print the handshake type. +.TP +.I H +Print handshake type and highlights. +.RE +.TP +\fIexpression\fP .RS Selects what packets ssldump will examine. Technically speaking, ssldump supports the full expression syntax from PCAP and tcpdump. @@ -200,7 +240,7 @@ don't result in incomplete TCP streams are listed here. .LP The \fIexpression\fP consists of one or more -.I primitives. +.IR primitives . Primitives usually consist of an .I id (name or number) preceded by one or more qualifiers. There are three @@ -512,5 +552,11 @@ .LP ssldump doesn't implement session caching and therefore can't decrypt resumed sessions. - - +.LP +.SH SEE ALSO +.LP +.BR tcpdump (1) +.LP +.SH AUTHOR +.LP +ssldump was written by Eric Rescorla <ekr@rtfm.com>.