tks98 / snoopy

Inspect SSL/TLS traffic using eBPF
MIT License
16 stars 3 forks source link
ebpf golang ssl tls tracing uprobes

snoopy

Overview

Snoopy is a tool for tracing and monitoring SSL/TLS connections in applications that use common SSL libraries. It leverages eBPF uprobes to hook into SSL functions, collecting metadata before encryption/decryption. This enables Snoopy to monitor SSL traffic without decryption.

Snoopy supports inspecting traffic from applications that use OpenSSL (libssl.so) or GnuTLS (libgnutls.so).

Building

Snoopy relies on gobpf, which are Go bindings for bcc. You will need to install libbcc for your specific kernel.

go build -o snoopy

Usage

Snoopy supports two optional flags, --json and --pid.

sudo ./snoopy --json --pid 1337

Example

sudo snoopy --json --pid 1716580

{
    "function": "SSL_READ",
    "process_name": "curl",
    "elapsed_time": 0.022584,
    "pid": 1716580,
    "tid": 1716580,
    "message_size": 1369,
    "result": 0,
    "tls_content": "106.8,\"High\":58335.1...."
}

This will print TLS information in JSON format only from process ID 1337. Not supplying either flag, Snoopy will visually display all intercepted SSL/TLS traffic from all processes that use the OpenSSL library.

sudo snoopy

[ TLS Message Information ]
+--------------+-----------------+
| DESCRIPTION  | VALUE           |
+--------------+-----------------+
| Timestamp    | 23:26:54.337542 |
| Function     | SSL_READ        |
| Process Name | curl            |
| PID          | 1719190         |
| TID          | 1719190         |
| Message Size | 1369 bytes      |
+--------------+-----------------+
[ TLS Content ]
Open":0.2,"High":0.5,"ChangePercentFromLastMonth":..."}
...
[ End of TLS Message ]

Contributing

Feel free to create issues for bugs and feature requests, or make pull requests to improve the utility.

License

This project is licensed under the MIT License.

References