ssldump - (de-facto repository gathering patches around the cyberspace)
This repository is composed of the original SSLDUMP 0.9b3 + a myriad of patches (from Debian and other distributions) + contributions via PR
ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic. It also includes a JSON output option, supports JA3 and IPv6.
./ssldump -j -ANH -n -i any | jq
will run ssldump on all interfaces and output the result in JSON format including ja3 hashes.
For more details, check the man page.
This example will query ja3er.com service to display the known ja3 hashes from the TLS handshaked in the pcap.
./ssldump -r yourcapture.pcap -j | jq -r 'select(.ja3_fp != null) | .ja3_fp' | parallel 'curl -s -X GET 'https://ja3er.com/search/{}' | jq .'
Because it’s a mess. The software maintenance process for old free (unmaintained) software like ssldump is a complete chaotic process. I do this to ease my pain and this could help other too (but this is just a collateral damage).
Install dependencies on Debian & Ubuntu (as root):
apt install build-essential git cmake ninja-build libssl-dev libpcap-dev libnet1-dev libjson-c-dev
On Fedora, CentOS, RHEL & Rocky (as root):
dnf install git cmake ninja-build gcc openssl-devel libpcap-devel libnet-devel json-c-devel
On OpenBSD (as root):
pkg_add git cmake ninja json-c libnet
On FreeBSD (as root):
pkg install git cmake ninja json-c libnet
On MacOS (as root):
brew install cmake ninja openssl@3 libpcap libnet json-c
Compile & install:
git clone https://github.com/adulau/ssldump.git
cd ssldump
cmake -G Ninja -B build
ninja -C build
./build/ssldump -v
(optional, as root) ninja -C build install
The “save to pcap” (-w) option by @ryabkov, is heavily based on the work of @droe on https://github.com/droe/sslsplit .
The contributing policy is simple. If you have a patch to propose, make a pull-request via the interface. If the patch works for me, it’s merged.