sslsnoop.bt(8) System Manager's Manual sslsnoop.bt(8)
NAME
sslsnoop.bt - Show SSL/TLS handshake events. Uses bpftrace/eBPF.
SYNOPSIS
sslsnoop.bt
DESCRIPTION
sslsnoop traces OpenSSL handshake functions, and shows latency and re-
turn value. This can be used to analyze SSL/TLS performance.
This tool works by dynamic tracing the uprobes in OpenSSL and related
crypto libs, and may need updating to match future changes to these
functions.
Since this uses BPF, only the root user can use this tool.
REQUIREMENTS
CONFIG_BPF and bpftrace.
EXAMPLES
Trace SSL/TLS handshake events, printing per-line summaries:
# sslsnoop.bt
FIELDS
TIME(us)
Time of the call completion, in microseconds since program
start.
TID Thread ID.
COMM Process name.
LAT(us)
Latency of the call, in microseconds.
RET Return value of the call.
FUNC Function name.
OVERHEAD
SSL/TLS handshake usually contains network latency and the traced
crypto functions are CPU intensive tasks, so call frequency should be
low and the overhead of this tool is expected to be negligible.
SOURCE
This is from bpftrace.
https://github.com/iovisor/bpftrace
Also look in the bpftrace distribution for a companion _examples.txt
file containing example usage, output, and commentary for this tool.
There is a bcc tool sslsniff that can show SSL/TLS handshake event la-
tency before sniffing the plaintext in SSL_read/write. This tool pro-
vides more detailed crypto latency distribution during the handshake
event.
https://github.com/iovisor/bcc
OS
Linux
STABILITY
Unstable - in development.
AUTHOR
Tao Xu
SEE ALSO
biosnoop.bt(8)
USER COMMANDS 2021-12-28 sslsnoop.bt(8)
Generated by dwww version 1.16 on Tue Dec 16 17:02:43 CET 2025.