# Synopsis
proc-trace-tls [-achqQsvx] [-l LIB] [-o FILE] [-p PID[,PID,...]]
# Flags
| Flag | Description |
|---|---|
| -c | Force ANSI color output (auto-detected when stdout is a tty) |
| -l LIB | Path to libssl.so. Auto-detected from /proc/maps and common paths if omitted. |
| -o FILE | Append events to FILE instead of stdout |
| -p PID[,...] | Trace only these PIDs (comma-separated). Omit to watch all processes. |
| -q | Suppress startup banner and summary |
| -Q | Suppress error messages to stderr |
| -R | Skip reverse DNS — show raw IP:port instead of resolved hostname |
| -s | Summary/event mode only — one line per SSL call (timestamp · PID · comm · RX/TX · symbol · host) |
| -v | Verbose: print each uprobe as it's registered, with symbol offset |
| -h | Print help and exit |
# Output Format
14:23:01.441 14821 curl RX SSL_read api.github.com:443 14:23:01.442 14821 curl TX SSL_write api.github.com:443 14:23:01.458 14905 python3 TX SSL_write pypi.org:443
| Column | Description |
|---|---|
| timestamp | Wall-clock time of the uprobe event (HH:MM:SS.mmm) |
| PID | Process ID of the calling process |
| comm | Process name (comm from /proc/<pid>/comm) |
| RX / TX | Direction — RX = data received (SSL_read), TX = data sent (SSL_write) |
| symbol | Exact OpenSSL function that fired: SSL_read, SSL_write, SSL_read_ex, SSL_write_ex |
| host | Remote hostname:port — resolved via SNI (SSL_get_servername uprobe) first, then /proc/<pid>/net/tcp + reverse DNS. Use -R to show raw IPs. |
# Examples
Watch all TLS traffic system-wide:
sudo proc-trace-tls
Trace a specific process by PID:
sudo proc-trace-tls -p $(pgrep curl)
Trace multiple processes:
sudo proc-trace-tls -p 1234,5678,9012
Use a custom libssl path:
sudo proc-trace-tls -l /usr/lib64/libssl.so.3
Log events to a file, quiet mode:
sudo proc-trace-tls -sq -o /var/log/tls-events.log
Verbose uprobe registration:
sudo proc-trace-tls -v # proc-trace-tls v0.1.0 # lib : /lib/x86_64-linux-gnu/libssl.so.3 # Registering uprobes on /lib/x86_64-linux-gnu/libssl.so.3... # registered: tls_read_SSL_read @ 0x2e440 # registered: tls_read_SSL_read_ret @ 0x2e440 # registered: tls_write_SSL_write @ 0x2e180 # registered: tls_read_SSL_read_ex @ 0x2e5c0 # Watching 4 probe(s). Press Ctrl-C to stop.
Watch nginx worker processes:
sudo proc-trace-tls -p $(pgrep -d, nginx)