Date: Wed, 08 Jul 2009 09:47:25 -0400 From: Steve Bertrand <steve@ibctech.ca> To: Daniel Underwood <djuatdelta@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Network traffic monitoring: BSD monitor & verifying encryption Message-ID: <4A54A36D.5070104@ibctech.ca> In-Reply-To: <b6c05a470907080615l1e674e07xfda169c75dfd9f59@mail.gmail.com> References: <b6c05a470907080615l1e674e07xfda169c75dfd9f59@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Daniel Underwood wrote:
> Hi folks:
>
> (1) I'm only used Wireshark and Ethereal to inspect network traffic,
> and I've only used these on several occasion. Would someone suggest
> FreeBSD alternatives (console or xserver based?
tcpdump(1). It can save to a pcap file for later review within Wireshark
if required.
> (2) I'm testing my connection to a remote server. The connection is
> supposed to be encrypted. What's the easiest way to verify that the
> data is in fact being encrypted? I don't care to validate the
> encryption itself; I trust that it is working properly, if it's
> working at all. I just want to know what, if anything, I can look for
> in the traffic that will indicate encryption (e.g., is the initiation
> of key-exchanges easy to locate?).
It depends on the traffic type, and the protocol.
When in doubt, you could always capture the entire packet, dump them
into a file, and then review the data to ensure it isn't in plaintext:
# tcpdump -n -i em5 -s 0 -w /var/log/cap.pcap host x.x.x.x and port xxxx
Then you can read it back in with tcpdump later, or scp the file to a
GUI based workstation and view it in Wireshark (which is my preference).
Wireshark displaying SSH traffic will for instance tell you straight-up
in the Info field that the packet is "Encrypted response packet
len=xxx". It does the same for IPSec etc.
Steve
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��00CK9AbxIUw0
*H
�0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090507231610Z
100507231610Z0B1 0
UThawte Freemail Member1 0
*H
steve@ibctech.ca0"0
*H
��0
�DZ杙<2IⵀfrsE6
q?0.>
S@Œ!V?A\Q
r-aZ
Ōf/0{OYQhɏߴ
F_\Q0BF=<_.a*3ep
eY
|t�ݼcvlҷ+@p
iQA{2E9 WN4[Z`h6VM/zPbd(G�C
^K6XV4j<t�-0+0U
0steve@ibctech.ca0
U
0�0
*H
��æ|85aQz-*3HG
.s*Fw*`HvFw;
9ytƘn0taC/:WC+LÙ{Oq 1�n00CK9AbxIUw0
*H
�0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090507231610Z
100507231610Z0B1 0
UThawte Freemail Member1 0
*H
steve@ibctech.ca0"0
*H
��0
�DZ杙<2IⵀfrsE6
q?0.>
S@Œ!V?A\Q
r-aZ
Ōf/0{OYQhɏߴ
F_\Q0BF=<_.a*3ep
eY
|t�ݼcvlҷ+@p
iQA{2E9 WN4[Z`h6VM/zPbd(G�C
^K6XV4j<t�-0+0U
0steve@ibctech.ca0
U
0�0
*H
��æ|85aQz-*3HG
.s*Fw*`HvFw;
9ytƘn0taC/:WC+LÙ{Oq 1�n0?0
0
*H
�01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com0
030717000000Z
130716235959Z0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
*H
��0�Ħ<UsUNʙZ
hup
[v
:aQP
0cZ,p+Z?qV˯<
6$*+w=+>@dקe*TH<a@
dr`�00U
0�0CU
<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0
U
0)U
"0
0
10UPrivateLabel2-1380
*H
��HP
.
fgCL!6 -6/
P p<ab:~�
t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$
F]_eO1d0`0v0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9AbxIUw0 +�0 *H
1
*H
0
*H
1
090708134725Z0# *H
1G$Zxl1$-zX0R *H
1E0C0
*H
0*H
�0
*H
@0+0
*H
(0 +71x0v0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9AbxIUw0
*H
1xv0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9AbxIUw0
*H
��"_^P|Y3X
< ~cKFmk>N[
0}KU@�/aq%>J{꺼W-|mfOiDZ/4O$D
Kv[R`vd!n9JG/K7f3BAk|:cCYaFtuq+Pv=1A"M]i�nIe |3Ttr,{*~SMHZ?������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A54A36D.5070104>