Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
August 4, 2022 13:01
April 4, 2023 14:31
January 31, 2015 10:13
August 27, 2020 16:20
August 27, 2020 16:20
January 31, 2015 10:13
January 31, 2015 10:13
August 27, 2020 16:20
October 3, 2020 13:16
April 9, 2023 10:58
October 3, 2020 10:32
August 27, 2020 16:20
April 12, 2021 21:30

ssldump - (de-facto repository gathering patches around the cyberspace)

Build CI CodeQL analysis

Release and tagging

  • Current version of ssldump is v1.7 (released: 2023-04-09) - ChangeLog

What about the original ssldump?

This repository is composed of the original SSLDUMP 0.9b3 + a myriad of patches (from Debian and other distributions) + contributions via PR

ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic. It also includes a JSON output option, supports JA3 and IPv6.

How to do I run ssldump?

./ssldump -j -ANH -n -i any | jq will run ssldump on all interfaces and output the result in JSON format including ja3 hashes.

For more details, check the man page.

How can I lookup ja3 hashes?

This example will query service to display the known ja3 hashes from the TLS handshaked in the pcap.

ssldump -r yourcapture.pcap -j | jq -r 'select(.ja3_fp != null) | .ja3_fp' | parallel 'curl -s -X GET '{}' | jq .'

Why do you maintain this repository?

Because it's a mess. The software maintenance process for old free (unmaintained) software like ssldump is a complete chaotic process. I do this to ease my pain and this could help other too (but this is just a collateral damage).

Where ssldump is used?

Where ssldump is available?

Build instructions

On Debian & Ubuntu:

apt install build-essential autoconf libssl-dev libpcap-dev libnet1-dev libjson-c-dev
./configure --prefix=/usr/local
(optional) make install

On Fedora, CentOS, RHEL & Rocky:

dnf install autoconf automake gcc make openssl-devel libpcap-devel libnet-devel json-c-devel
./configure --prefix=/usr/local
(optional) make install

Optional configuration features (aka ./configure options):

  --disable-optimization  disable compiler optimizations (change from -O2 to -O0)
  --enable-debug	  enable debug info (add "-g -DDEBUG" to CFLAGS)
  --enable-asan		  enable AddressSanitizer and other checks
	add "-fsanitize=address,undefined,leak -Wformat -Werror=format-security
		-Werror=array-bounds" to CFLAGS
	use libasan with GCC and embedded ASAN with Clang

Configuration examples:

- Use GCC with libasan, debug info and custom CFLAGS:
	./configure CC=/usr/bin/gcc --enable-asan --enable-debug CFLAGS="-Wall"

- Use Clang with ASAN and no optimizations (-O0)
	./configure CC=/usr/bin/clang --enable-asan --disable-optimization


The "save to pcap" (-w) option by @ryabkov, is heavily based on the work of @droe on .


The contributing policy is simple. If you have a patch to propose, make a pull-request via the interface. If the patch works for me, it's merged.