path: root/net/ssldump/files/patch-ssldump.1

--- ssldump.1.orig	2002-08-13 06:46:53.000000000 +0700
+++ ssldump.1	2008-01-29 21:49:33.000000000 +0600
@@ -61,12 +61,9 @@
 .na
 .B ssldump
 [
-.B \-vtaTnsAxXhHVNdq
+.B \-vTshVq
+.B \-aAdeHnNqTxXvy
 ] [
-.B \-r
-.I dumpfile
-]
-[
 .B \-i
 .I interface
 ]
@@ -81,6 +78,16 @@
 .I password
 ]
 [
+.B \-r
+.I dumpfile
+]
+.br
+.ti +8
+[ 
+.B \-S 
+.RI [\| crypto \||\| d \||\| ht \||\| H \||\| nroff \|] 
+]
+[
 .I expression
 ]
 .br
@@ -125,6 +132,7 @@
 You must have read access to
 .IR /dev/bpf* .
 .SH OPTIONS
+.TP
 .B \-a
 Print bare TCP ACKs (useful for observing Nagle behavior)
 .TP
@@ -135,7 +143,7 @@
 .B \-d
 Display the application data traffic. This usually means
 decrypting it, but when -d is used ssldump will also decode
-application data traffic _before_ the SSL session initiates.
+application data traffic \fIbefore\fP the SSL session initiates.
 This allows you to see HTTPS CONNECT behavior as well as
 SMTP STARTTLS. As a side effect, since ssldump can't tell
 whether plaintext is traffic before the initiation of an
@@ -148,18 +156,9 @@
 .B \-e
 Print absolute timestamps instead of relative timestamps
 .TP
-.B \-r
-Read data from \fIfile\fP instead of from the network.
-The old -f option still works but is deprecated and will 
-probably be removed with the next version.
 .B \-H
 Print the full SSL packet header.
 .TP
-.B \-k
-Use \fIkeyfile\fP as the location of the SSL keyfile (OpenSSL format)
-Previous versions of ssldump automatically looked in ./server.pem.
-Now you must specify your keyfile every time.
-.TP
 .B \-n 
 Don't try to resolve host names from IP addresses
 .TP
@@ -176,6 +175,12 @@
 .B \-q
 Don't decode any record fields beyond a single summary line. (quiet mode).
 .TP
+.B \-T
+Print the TCP headers.
+.TP
+.B \-v
+Display version and copyright information.
+.TP
 .B \-x
 Print each record in hex, as well as decoding it.
 .TP
@@ -183,13 +188,48 @@
 When the -d option is used, binary data is automatically printed
 in two columns with a hex dump on the left and the printable characters
 on the right. -X suppresses the display of the printable characters,
-thus making it easier to cut and paste the hext data into some other
+thus making it easier to cut and paste the hex data into some other
 program.
+.TP
 .B \-y
-Decorate the output for processing with troff. Not very
+Decorate the output for processing with nroff/troff. Not very
 useful for the average user.
 .TP
-.IP "\fI expression\fP"
+.BI \-i " interface"
+Use \fIinterface\fP as the network interface on which to sniff SSL/TLS
+traffic.
+.TP
+.BI \-k " keyfile"
+Use \fIkeyfile\fP as the location of the SSL keyfile (OpenSSL format)
+Previous versions of ssldump automatically looked in ./server.pem.
+Now you must specify your keyfile every time.
+.TP
+.BI \-p " password"
+Use \fIpassword\fP as the SSL keyfile password.
+.TP
+.BI \-r " file"
+Read data from \fIfile\fP instead of from the network.
+The old -f option still works but is deprecated and will 
+probably be removed with the next version.
+.TP
+.BI \-S " [ " crypto " | " d " | " ht " | " H " ]"
+Specify SSL flags to ssldump.  These flags include:
+.RS
+.TP
+.I crypto
+Print cryptographic information.
+.TP
+.I d
+Print fields as decoded.
+.TP
+.I ht
+Print the handshake type.
+.TP
+.I H
+Print handshake type and highlights.
+.RE
+.TP
+\fIexpression\fP
 .RS
 Selects what packets ssldump will examine. Technically speaking,
 ssldump supports the full expression syntax from PCAP and tcpdump.
@@ -200,7 +240,7 @@
 don't result in incomplete TCP streams are listed here. 
 .LP
 The \fIexpression\fP consists of one or more
-.I primitives.
+.IR primitives .
 Primitives usually consist of an
 .I id
 (name or number) preceded by one or more qualifiers.  There are three
@@ -512,5 +552,11 @@
 .LP
 ssldump doesn't implement session caching and therefore can't decrypt
 resumed sessions.
-
-
+.LP
+.SH SEE ALSO
+.LP
+.BR tcpdump (1)
+.LP
+.SH AUTHOR
+.LP
+ssldump was written by Eric Rescorla <ekr@rtfm.com>.