Date: Wed, 08 Jul 2009 15:17:02 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Daniel Underwood <djuatdelta@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Network traffic monitoring: BSD monitor & verifying encryption Message-ID: <4A54AA5E.80706@infracaninophile.co.uk> In-Reply-To: <b6c05a470907080615l1e674e07xfda169c75dfd9f59@mail.gmail.com> References: <b6c05a470907080615l1e674e07xfda169c75dfd9f59@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Daniel Underwood wrote:
> Hi folks:
>
> (1) I'm only used Wireshark and Ethereal to inspect network traffic,
> and I've only used these on several occasion. Would someone suggest
> FreeBSD alternatives (console or xserver based?
wireshark, formerly known as ethereal works just fine on FreeBSD. If you
want a console based variant, there's tshark, which is just wireshark without
X11 support. All in the ports: net/wireshark, net/tshark
As mentioned elsewhere, you can use tcpdump (bundled with the system) to
capture traffic that you can later feed into wireshark for analysis. Handy
hint: be aware that tcpdump generally only captures the packet headers and
not the full packet content. To capture everything add '-s 0' to the tcpdump
command line.
> (2) I'm testing my connection to a remote server. The connection is
> supposed to be encrypted. What's the easiest way to verify that the
> data is in fact being encrypted? I don't care to validate the
> encryption itself; I trust that it is working properly, if it's
> working at all. I just want to know what, if anything, I can look for
> in the traffic that will indicate encryption (e.g., is the initiation
> of key-exchanges easy to locate?).
There are two possibilities:
(a) capture session traffic over the wire and from that demonstrate the
traffic is encrypted. Unless the plaintext is obviously ascii or otherwise
readily identifiable, this might be a bit tricky. Probably the only 100%
certain answer is to be able to decrypt the session traffic.
(b) connect to the remote network port using eg. netcat (see nc(1)),
telnet or 'openssl s_client' -- in the first two cases the idea would be
to check that the server would not permit an unencrypted session; for the
last case the idea is to check that the connection does handle presenting keys
and certs correctly. Obviously this will depend on knowledge of how your
particular communications protocol works.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkpUqmUACgkQ8Mjk52CukIzCzACfTCDwOzTGKRnRUcIvilIraM31
HAwAn0tczBfkC1EQKwhK60xnVHedrHVE
=G/JA
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A54AA5E.80706>