diff --git a/kern/openssl_kern.c b/kern/openssl_kern.c
index c2214b22a..1467b1505 100644
--- a/kern/openssl_kern.c
+++ b/kern/openssl_kern.c
@@ -12,6 +12,7 @@ struct ssl_data_event_t {
     s32 data_len;
     char comm[TASK_COMM_LEN];
     u32 fd;
+    s32 version;
 };
 
 struct {
@@ -32,6 +33,12 @@ struct {
 } connect_events SEC(".maps");
 
 struct active_ssl_buf {
+    /*
+     * protocol version (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION,
+     * DTLS1_VERSION)
+     * from ssl/ssl_local.h struct ssl_st
+     */
+    s32 version;
     u32 fd;
     const char* buf;
 };
@@ -83,7 +90,7 @@ struct BIO {
 };
 
 struct ssl_st {
-    int version;
+    s32 version;
     struct unused* method;
     struct BIO* rbio;  // used by SSL_read
     struct BIO* wbio;  // used by SSL_write
@@ -117,7 +124,7 @@ static __inline struct ssl_data_event_t* create_ssl_data_event(
 
 static int process_SSL_data(struct pt_regs* ctx, u64 id,
                             enum ssl_data_event_type type, const char* buf,
-                            u32 fd) {
+                            u32 fd, s32 version) {
     int len = (int)PT_REGS_RC(ctx);
     if (len < 0) {
         return 0;
@@ -130,6 +137,7 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id,
 
     event->type = type;
     event->fd = fd;
+    event->version = version;
     // This is a max function, but it is written in such a way to keep older BPF
     // verifiers happy.
     event->data_len =
@@ -177,6 +185,7 @@ int probe_entry_SSL_write(struct pt_regs* ctx) {
     struct active_ssl_buf active_ssl_buf_t;
     __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t));
     active_ssl_buf_t.fd = fd;
+    active_ssl_buf_t.version = ssl_info.version;
     active_ssl_buf_t.buf = buf;
     bpf_map_update_elem(&active_ssl_write_args_map, &current_pid_tgid,
                         &active_ssl_buf_t, BPF_ANY);
@@ -201,8 +210,9 @@ int probe_ret_SSL_write(struct pt_regs* ctx) {
     if (active_ssl_buf_t != NULL) {
         const char* buf;
         u32 fd = active_ssl_buf_t->fd;
+        s32 version = active_ssl_buf_t->version;
         bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf);
-        process_SSL_data(ctx, current_pid_tgid, kSSLWrite, buf, fd);
+        process_SSL_data(ctx, current_pid_tgid, kSSLWrite, buf, fd, version);
     }
     bpf_map_delete_elem(&active_ssl_write_args_map, &current_pid_tgid);
     return 0;
@@ -239,6 +249,7 @@ int probe_entry_SSL_read(struct pt_regs* ctx) {
     struct active_ssl_buf active_ssl_buf_t;
     __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t));
     active_ssl_buf_t.fd = fd;
+    active_ssl_buf_t.version = ssl_info.version;
     active_ssl_buf_t.buf = buf;
     bpf_map_update_elem(&active_ssl_read_args_map, &current_pid_tgid,
                         &active_ssl_buf_t, BPF_ANY);
@@ -263,8 +274,9 @@ int probe_ret_SSL_read(struct pt_regs* ctx) {
     if (active_ssl_buf_t != NULL) {
         const char* buf;
         u32 fd = active_ssl_buf_t->fd;
+        s32 version = active_ssl_buf_t->version;
         bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf);
-        process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd);
+        process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd, version);
     }
     bpf_map_delete_elem(&active_ssl_read_args_map, &current_pid_tgid);
     return 0;
diff --git a/kern/postgres_kern.c b/kern/postgres_kern.c
index 3506e019e..aa7ca349c 100644
--- a/kern/postgres_kern.c
+++ b/kern/postgres_kern.c
@@ -7,8 +7,7 @@ struct data_t {
     char comm[TASK_COMM_LEN];
 };
 
-struct
-{
+struct {
     __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
 } events SEC(".maps");
 
@@ -18,7 +17,6 @@ struct
 // static void exec_simple_query(const char *query_string)
 SEC("uprobe/exec_simple_query")
 int postgres_query(struct pt_regs *ctx) {
-
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
 
@@ -30,10 +28,10 @@ int postgres_query(struct pt_regs *ctx) {
 #endif
 
     struct data_t data = {};
-    data.pid = pid;   // only process id
+    data.pid = pid;  // only process id
     data.timestamp = bpf_ktime_get_ns();
 
-    char *sql_string= (char *)PT_REGS_PARM1(ctx);
+    char *sql_string = (char *)PT_REGS_PARM1(ctx);
     bpf_get_current_comm(&data.comm, sizeof(data.comm));
     bpf_probe_read(&data.query, sizeof(data.query), sql_string);
     bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
diff --git a/user/event_openssl.go b/user/event_openssl.go
index 1f0379f82..6da924aab 100644
--- a/user/event_openssl.go
+++ b/user/event_openssl.go
@@ -21,6 +21,43 @@ const (
 const MAX_DATA_SIZE = 1024 * 4
 const SA_DATA_LEN = 14
 
+const (
+	SSL2_VERSION    = 0x0002
+	SSL3_VERSION    = 0x0300
+	TLS1_VERSION    = 0x0301
+	TLS1_1_VERSION  = 0x0302
+	TLS1_2_VERSION  = 0x0303
+	TLS1_3_VERSION  = 0x0304
+	DTLS1_VERSION   = 0xFEFF
+	DTLS1_2_VERSION = 0xFEFD
+)
+
+type tls_version struct {
+	version int32
+}
+
+func (t tls_version) String() string {
+	switch t.version {
+	case SSL2_VERSION:
+		return "SSL2_VERSION"
+	case SSL3_VERSION:
+		return "SSL3_VERSION"
+	case TLS1_VERSION:
+		return "TLS1_VERSION"
+	case TLS1_1_VERSION:
+		return "TLS1_1_VERSION"
+	case TLS1_2_VERSION:
+		return "TLS1_2_VERSION"
+	case TLS1_3_VERSION:
+		return "TLS1_3_VERSION"
+	case DTLS1_VERSION:
+		return "DTLS1_VERSION"
+	case DTLS1_2_VERSION:
+		return "DTLS1_2_VERSION"
+	}
+	return "TLS_VERSION_UNKNOW"
+}
+
 type SSLDataEvent struct {
 	module       IModule
 	event_type   EVENT_TYPE
@@ -32,6 +69,7 @@ type SSLDataEvent struct {
 	Data_len     int32
 	Comm         [16]byte
 	Fd           uint32
+	Version      int32
 }
 
 func (this *SSLDataEvent) Decode(payload []byte) (err error) {
@@ -60,6 +98,9 @@ func (this *SSLDataEvent) Decode(payload []byte) (err error) {
 	if err = binary.Read(buf, binary.LittleEndian, &this.Fd); err != nil {
 		return
 	}
+	if err = binary.Read(buf, binary.LittleEndian, &this.Version); err != nil {
+		return
+	}
 
 	return nil
 }
@@ -82,7 +123,8 @@ func (this *SSLDataEvent) StringHex() string {
 	b := dumpByteSlice(this.Data[:this.Data_len], perfix)
 	b.WriteString(COLORRESET)
 
-	s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, %s, Payload:\n%s", this.Pid, this.Comm, this.Tid, connInfo, b.String())
+	v := tls_version{version: this.Version}
+	s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, %s, Version:%s, Payload:\n%s", this.Pid, this.Comm, this.Tid, connInfo, v.String(), b.String())
 	return s
 }
 
@@ -100,7 +142,8 @@ func (this *SSLDataEvent) String() string {
 	default:
 		connInfo = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.DataType, COLORRESET)
 	}
-	s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, %s, Payload:\n%s%s%s", this.Pid, this.Comm, this.Tid, connInfo, perfix, string(this.Data[:this.Data_len]), COLORRESET)
+	v := tls_version{version: this.Version}
+	s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, Version:%s, %s, Payload:\n%s%s%s", this.Pid, this.Comm, this.Tid, v.String(), connInfo, perfix, string(this.Data[:this.Data_len]), COLORRESET)
 	return s
 }