snooper.jar is a JAR file that contains a Java program that I wrote when trying to work out what was going on between a client and server who were talking SSL.
Note that if you want to use this JAR file on VMS, you'll need to say:
$ set file/attr=(rfm:stmlf,rat:cr) snooper.jarbefore using it.
The program has GUI and non-GUI modes, and sits between a client/server, displaying and attempting to decode all the messages that they exchange, but without their knowledge.
As well as decoding SSL protocol, the program can also decode LDAP messages, and also has generic ASN.1 and Hex decoders built in.
The programs work with 1.2 or later of Java. To run the GUI on UNIX or VMS, you'll have direct your DISPLAY appropriately.
To run the "console" version of the program, use:
$ java -cp snooper.jar com.nickoh.snooper.ConsoleSnoop [server] [server-port] [port]where
The program will ask you what kind of decoder you want to use, and then will sit waiting for any client requests to appear. You exit the program by typing RETURN
To run the "GUI" version of the program, use:
$ java -jar snooper.jar--hopefully it should be clear what you have to do.
Below is an example of what the output looks like. After setting the program up to run on "finky", I ran the server on "finky" specifying a port of 6000, and then ran the client telling it to talk to "finky:5000"
java -cp snooper.jar com.nickoh.snooper.ConsoleSnoop finky 6000 5000 Please choose decoder type (0 for exit) 1 : Hex/ASCII dump 2 : ASN.1 Decoder 3 : LDAP Decoder 4 : SSL Decoder Decoder ? 4 listening on 5000, will redirect to finky:6000 Type ENTER to terminate the program : 31-May-2002 15:02:21.706 : finky.nickoh.com has requested a connection 31-May-2002 15:02:21.734 : Message from finky.nickoh.com to finky:6000 SSLV3_HANDSHAKE : Version : 1 Length : 0x3f Handshake #1 : Handshake type : ClientHello (SSL3_MT_CLIENT_HELLO) Version : 3 client rand val : 3CF790C0CA54DE37C3A00E4BA0D794CBDE0EB6D92AB2523AEE70B593ABF6FC3D Session id (size 0x0) : Client proposes 10 cipher suites : #1 : SSL3 DES-CBC3-SHA #2 : SSL3 NULL-MD5 #3 : SSL3 DES-CBC-SHA #4 : SSL3 NULL-SHA #5 : SSL3 EXP-RC4-MD5 #6 : SSL3 EDH-DSS-DES-CBC-SHA #7 : SSL3 EXP-EDH-DSS-DES-CBC-SHA #8 : SSL3 EDH-DSS-DES-CBC3-SHA #9 : SSL3 RC4-MD5 #10 : SSL3 RC4-SHA Client proposes 1 compression methods #1 : 1 31-May-2002 15:02:21.930 : Message from finky:6000 SSLV3_HANDSHAKE : Version : 1 Length : 0x3ef Handshake #1 : Handshake type : ServerHello (SSL3_MT_SERVER_HELLO) Version : 3 server rand val : 3C F7 90 C0 B5 EB BA 31 7A 7B B8 E4 E7 28 FD 71 FB D5 40 EB 49 4A D5 35 7E 1B 54 96 EB F9 4F F0 Session id (size 0x20) : 0000 : < w . @ . ! > . I W { > . N m K 0000 : 3C F7 90 C0 88 21 BE 96 C9 D7 FB 3E 19 CE 6D 4B 0010 : @ x 9 . Q V . 3 . 5 . . Z . i 9 0010 : 40 F8 39 13 D1 56 19 33 00 35 9E 99 DA 8B 69 B9 Server chooses cipher : SSL3 EDH-DSS-DES-CBC-SHA Server chooses compression : 0 Handshake #2 : Handshake type : Certificate (SSL3_MT_CERTIFICATE) Certificate chain length : 605 Certificate #1 : [ [ Version: V1 Subject: CN=#0C066A5F63657274 Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3 Key: Sun DSA Public Key Parameters:DSA p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669 455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7 6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb 83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7 q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5 g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267 5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1 3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a y: 3173307b 877f606f eb90b473 963d8c43 ed1f54ae ed88ff57 251a3805 4e11a36f b1c762fc 27150ff8 1c1d886d d65aeae0 04134e32 3c1a7498 09327674 f9617813 8dc17f1b 91d00f98 5aeca363 02dcbfbd 8a3a8460 ada5b22c 4bc77db4 f5a5e01d 27dc7ea6 a1df04d5 d970be0d 4922d7fc 9c3e5e47 05bae336 592b935f 1635465a Validity: [From: Fri May 31 10:59:32 GMT+00:00 2002, To: Thu Aug 29 10:59:32 GMT+00:00 2002] Issuer: CN=#0C066A5F63657274 SerialNumber: [ 3cf75794 ] ] Algorithm: [SHA1withDSA] Signature: 0000: 30 2C 02 14 40 0B 38 82 CD EB 2D 62 48 60 8C F1 0,..@.8...-bH`.. 0010: 3A A5 CB 6F A2 7A EB CB 02 14 70 20 F9 5B A4 0C :..o.z....p .[.. 0020: 17 22 8D 89 06 5E BF F8 E0 FB 02 94 65 A0 ."...^......e. ] ============================================== Handshake #3 : Handshake type : ServerKeyExchange (SSL3_MT_SERVER_KEY_EXCHANGE) message format depends on cryptographic algorithms being used --- at present, full decoding of ServerKeyExchange is NYI Handshake #4 : Handshake type : ServerHelloDone (SSL3_MT_SERVER_DONE) 31-May-2002 15:02:22.132 : Message from finky.nickoh.com to finky:6000 SSLV3_HANDSHAKE : Version : 1 Length : 0x87 Handshake #1 : Handshake type : ClientKeyExchange (SSL3_MT_CLIENT_KEY_EXCHANGE) Length of data : 131 bytes 31-May-2002 15:02:22.326 : Message from finky.nickoh.com to finky:6000 SSLV3 Change Cipher Spec : Version : 3 CCS : 1 31-May-2002 15:02:22.326 : Message from finky.nickoh.com to finky:6000 SSLV3_HANDSHAKE : Version : 1 Length : 0x28 Handshake #1 : Handshake type : unknown handshake type (171) 31-May-2002 15:02:22.340 : Message from finky:6000 SSLV3 Change Cipher Spec : Version : 3 CCS : 1 31-May-2002 15:02:22.525 : Message from finky:6000 SSLV3_HANDSHAKE : Version : 1 Length : 0x28 Handshake #1 : Handshake type : unknown handshake type (40) 31-May-2002 15:02:22.552 : Message from finky.nickoh.com to finky:6000 SSLV3_Application data : Version : 1 Length : 0x38 31-May-2002 15:02:22.558 : Message from finky:6000 SSLV3_Application data : Version : 1 Length : 0x60 31-May-2002 15:02:22.562 : Message from finky:6000 SSLV3_ALERT : Version : 3 ---contents of alert appear to be encrypted Connection shut down by finky at 31-May-2002 15:02:22.570 ConsoleSnoop exiting