snooper.jar is a JAR file that contains a Java program that I wrote when trying to work out what was going on between a client and server who were talking SSL.
Note that if you want to use this JAR file on VMS, you'll need to say:
$ set file/attr=(rfm:stmlf,rat:cr) snooper.jarbefore using it.
The program has GUI and non-GUI modes, and sits between a client/server, displaying and attempting to decode all the messages that they exchange, but without their knowledge.
As well as decoding SSL protocol, the program can also decode LDAP messages, and also has generic ASN.1 and Hex decoders built in.
The programs work with 1.2 or later of Java. To run the GUI on UNIX or VMS, you'll have direct your DISPLAY appropriately.
To run the "console" version of the program, use:
$ java -cp snooper.jar com.nickoh.snooper.ConsoleSnoop [server] [server-port] [port]where
The program will ask you what kind of decoder you want to use, and then will sit waiting for any client requests to appear. You exit the program by typing RETURN
To run the "GUI" version of the program, use:
$ java -jar snooper.jar--hopefully it should be clear what you have to do.
Below is an example of what the output looks like. After setting the program up to run on "finky", I ran the server on "finky" specifying a port of 6000, and then ran the client telling it to talk to "finky:5000"
java -cp snooper.jar com.nickoh.snooper.ConsoleSnoop finky 6000 5000
Please choose decoder type (0 for exit)
1 : Hex/ASCII dump
2 : ASN.1 Decoder
3 : LDAP Decoder
4 : SSL Decoder
Decoder ? 4
listening on 5000, will redirect to finky:6000
Type ENTER to terminate the program :
31-May-2002 15:02:21.706 : finky.nickoh.com has requested a connection
31-May-2002 15:02:21.734 : Message from finky.nickoh.com to finky:6000
SSLV3_HANDSHAKE :
Version : 1
Length : 0x3f
Handshake #1 :
Handshake type : ClientHello (SSL3_MT_CLIENT_HELLO)
Version : 3
client rand val : 3CF790C0CA54DE37C3A00E4BA0D794CBDE0EB6D92AB2523AEE70B593ABF6FC3D
Session id (size 0x0) :
Client proposes 10 cipher suites :
#1 : SSL3 DES-CBC3-SHA
#2 : SSL3 NULL-MD5
#3 : SSL3 DES-CBC-SHA
#4 : SSL3 NULL-SHA
#5 : SSL3 EXP-RC4-MD5
#6 : SSL3 EDH-DSS-DES-CBC-SHA
#7 : SSL3 EXP-EDH-DSS-DES-CBC-SHA
#8 : SSL3 EDH-DSS-DES-CBC3-SHA
#9 : SSL3 RC4-MD5
#10 : SSL3 RC4-SHA
Client proposes 1 compression methods
#1 : 1
31-May-2002 15:02:21.930 : Message from finky:6000
SSLV3_HANDSHAKE :
Version : 1
Length : 0x3ef
Handshake #1 :
Handshake type : ServerHello (SSL3_MT_SERVER_HELLO)
Version : 3
server rand val : 3C F7 90 C0 B5 EB BA 31 7A 7B B8 E4 E7 28 FD 71 FB D5 40 EB 49 4A D5 35 7E 1B 54 96 EB F9 4F F0
Session id (size 0x20) :
0000 : < w . @ . ! > . I W { > . N m K
0000 : 3C F7 90 C0 88 21 BE 96 C9 D7 FB 3E 19 CE 6D 4B
0010 : @ x 9 . Q V . 3 . 5 . . Z . i 9
0010 : 40 F8 39 13 D1 56 19 33 00 35 9E 99 DA 8B 69 B9
Server chooses cipher : SSL3 EDH-DSS-DES-CBC-SHA
Server chooses compression : 0
Handshake #2 :
Handshake type : Certificate (SSL3_MT_CERTIFICATE)
Certificate chain length : 605
Certificate #1 :
[
[
Version: V1
Subject: CN=#0C066A5F63657274
Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
Key: Sun DSA Public Key
Parameters:DSA
p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669
455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5
g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267
5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a
y:
3173307b 877f606f eb90b473 963d8c43 ed1f54ae ed88ff57 251a3805 4e11a36f
b1c762fc 27150ff8 1c1d886d d65aeae0 04134e32 3c1a7498 09327674 f9617813
8dc17f1b 91d00f98 5aeca363 02dcbfbd 8a3a8460 ada5b22c 4bc77db4 f5a5e01d
27dc7ea6 a1df04d5 d970be0d 4922d7fc 9c3e5e47 05bae336 592b935f 1635465a
Validity: [From: Fri May 31 10:59:32 GMT+00:00 2002,
To: Thu Aug 29 10:59:32 GMT+00:00 2002]
Issuer: CN=#0C066A5F63657274
SerialNumber: [ 3cf75794 ]
]
Algorithm: [SHA1withDSA]
Signature:
0000: 30 2C 02 14 40 0B 38 82 CD EB 2D 62 48 60 8C F1 0,..@.8...-bH`..
0010: 3A A5 CB 6F A2 7A EB CB 02 14 70 20 F9 5B A4 0C :..o.z....p .[..
0020: 17 22 8D 89 06 5E BF F8 E0 FB 02 94 65 A0 ."...^......e.
] ==============================================
Handshake #3 :
Handshake type : ServerKeyExchange (SSL3_MT_SERVER_KEY_EXCHANGE)
message format depends on cryptographic algorithms being used
--- at present, full decoding of ServerKeyExchange is NYI
Handshake #4 :
Handshake type : ServerHelloDone (SSL3_MT_SERVER_DONE)
31-May-2002 15:02:22.132 : Message from finky.nickoh.com to finky:6000
SSLV3_HANDSHAKE :
Version : 1
Length : 0x87
Handshake #1 :
Handshake type : ClientKeyExchange (SSL3_MT_CLIENT_KEY_EXCHANGE)
Length of data : 131 bytes
31-May-2002 15:02:22.326 : Message from finky.nickoh.com to finky:6000
SSLV3 Change Cipher Spec :
Version : 3
CCS : 1
31-May-2002 15:02:22.326 : Message from finky.nickoh.com to finky:6000
SSLV3_HANDSHAKE :
Version : 1
Length : 0x28
Handshake #1 :
Handshake type : unknown handshake type (171)
31-May-2002 15:02:22.340 : Message from finky:6000
SSLV3 Change Cipher Spec :
Version : 3
CCS : 1
31-May-2002 15:02:22.525 : Message from finky:6000
SSLV3_HANDSHAKE :
Version : 1
Length : 0x28
Handshake #1 :
Handshake type : unknown handshake type (40)
31-May-2002 15:02:22.552 : Message from finky.nickoh.com to finky:6000
SSLV3_Application data :
Version : 1
Length : 0x38
31-May-2002 15:02:22.558 : Message from finky:6000
SSLV3_Application data :
Version : 1
Length : 0x60
31-May-2002 15:02:22.562 : Message from finky:6000
SSLV3_ALERT :
Version : 3
---contents of alert appear to be encrypted
Connection shut down by finky at 31-May-2002 15:02:22.570
ConsoleSnoop exiting