ssldump
-------

ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP
connections on the chosen network interface and attempts to interpret
them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it
decodes the records and displays them in a textual form to stdout. If
provided with the appropriate keying material, it will also decrypt
the connections and display the application data traffic. 

Compatibility
-------------

ssldump is known to work on FreeBSD, Linux, Solaris, and HP/UX but
should work on any platform with pcap. If you encounter problems,
please report them. The Windows port is new as of this release and
so it has received only modest testing.

Versions
--------

The current version is 0.9b2 

ssldump 0.9b2 contains a number of fixes and enhancements over 0.9b1, including. 

*	Support for Windows, courtesy of Greg Stark 
*	Support for decrypting resumed sessions. 
*	Fixed a core dump under certain RST conditions. 
*	Support for an arbitrary number of connections (previous versions had a hard limit). 
*	Better error reporting when you provide a bad password. 
*	Some performance fixes. 
*	Other bug fixes. 

See the ssldump-CHANGELOG.txt file for a more complete list of changes.


Sample Output
-------------

Here's an example trace generated by ssldump:

New TCP connection #3: localhost(3638) <-> localhost(4433)
3 1  0.0738 (0.0738)  C>S  Handshake      ClientHello
3 2  0.0743 (0.0004)  S>C  Handshake      ServerHello
3 3  0.0743 (0.0000)  S>C  Handshake      Certificate
3 4  0.0743 (0.0000)  S>C  Handshake      ServerHelloDone
3 5  0.0866 (0.0123)  C>S  Handshake      ClientKeyExchange
3 6  0.0866 (0.0000)  C>S  ChangeCipherSpec
3 7  0.0866 (0.0000)  C>S  Handshake      Finished
3 8  0.0909 (0.0043)  S>C  ChangeCipherSpec
3 9  0.0909 (0.0000)  S>C  Handshake      Finished
3 10 1.8652 (1.7742)  C>S  application_data
3 11 2.7539 (0.8887)  C>S  application_data
3 12 5.1861 (2.4321)  C>S  Alert          warning          close_notify
3    5.1868 (0.0007)  C>S  TCP FIN
3    5.1893 (0.0024)  S>C  TCP FIN

This example uses the flags for minimal decoding. ssldump has flags to allow decoding
of all messages, including printing the application protocol data. 

Shameless Plug
--------------
Extremely detailed coverage of SSL/TLS can be found in 

SSL and TLS: Designing and Building Secure Systems 
Eric Rescorla 
Addison-Wesley, 2001 
ISBN 0-201-61598-3 

SSL and TLS makes extensive use of ssldump to demonstrate real-life
SSL behavior. If you like ssldump and want to learn about SSL, you
might consider buying my book. 

(http://www.rtfm.com/sslbook)

The ssldump homepage is located at:

	http://www.rtfm.com/ssldump/