From owner-freebsd-questions@FreeBSD.ORG Wed Jul 8 14:17:17 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43FCE1065673 for ; Wed, 8 Jul 2009 14:17:17 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id BBA348FC19 for ; Wed, 8 Jul 2009 14:17:16 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id n68EH9v0060528; Wed, 8 Jul 2009 15:17:10 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk n68EH9v0060528 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1247062630; bh=01707y5Vt2GiR9Rgl0gHKfPmJmI186ZOJOhnY0udoEk=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4A54AA5E.80706@infracaninophile.co.uk>|Date:=20Wed ,=2008=20Jul=202009=2015:17:02=20+0100|From:=20Matthew=20Seaman=20 |Organization:=20Infracaninophile |User-Agent:=20Thunderbird=202.0.0.22=20(X11/20090625)|MIME-Versio n:=201.0|To:=20Daniel=20Underwood=20|CC:=20f reebsd-questions@freebsd.org|Subject:=20Re:=20Network=20traffic=20 monitoring:=20BSD=20monitor=20&=20verifying=20encryption|Reference s:=20 |In-Reply-To:=20|X-Enigmail-Version:=200.95.6|Content-Type:=20multipart /signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"applicatio n/pgp-signature"=3B=0D=0A=20boundary=3D"------------enig76D8EC32AA 487F9CD2B2F08E"; b=Zjlt9lZgJES/YACOH/akpcuFf0xiLwgIxNmxiuHrMwsZw7E1PRdNmBtAdK+uWE6wp /kh8X2YEz6tTNV+LlRvPtvnkprJyBkwScGMMWlH/fRxWNHfVPIzfVB7gYL7218sJKL 2rtFnXKGOvRQOVtmk0/H2BCONZ0cdVGBGWpGtMMs= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4A54AA5E.80706@infracaninophile.co.uk> Date: Wed, 08 Jul 2009 15:17:02 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.22 (X11/20090625) MIME-Version: 1.0 To: Daniel Underwood References: In-Reply-To: X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig76D8EC32AA487F9CD2B2F08E" X-Virus-Scanned: clamav-milter 0.95.2 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Network traffic monitoring: BSD monitor & verifying encryption X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 14:17:17 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig76D8EC32AA487F9CD2B2F08E Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Daniel Underwood wrote: > Hi folks: >=20 > (1) I'm only used Wireshark and Ethereal to inspect network traffic, > and I've only used these on several occasion. Would someone suggest > FreeBSD alternatives (console or xserver based? wireshark, formerly known as ethereal works just fine on FreeBSD. If you= want a console based variant, there's tshark, which is just wireshark wit= hout X11 support. All in the ports: net/wireshark, net/tshark As mentioned elsewhere, you can use tcpdump (bundled with the system) to capture traffic that you can later feed into wireshark for analysis. Han= dy hint: be aware that tcpdump generally only captures the packet headers an= d not the full packet content. To capture everything add '-s 0' to the tcp= dump command line. > (2) I'm testing my connection to a remote server. The connection is > supposed to be encrypted. What's the easiest way to verify that the > data is in fact being encrypted? I don't care to validate the > encryption itself; I trust that it is working properly, if it's > working at all. I just want to know what, if anything, I can look for > in the traffic that will indicate encryption (e.g., is the initiation > of key-exchanges easy to locate?). There are two possibilities: (a) capture session traffic over the wire and from that demonstrate the traffic is encrypted. Unless the plaintext is obviously ascii or otherwi= se readily identifiable, this might be a bit tricky. Probably the only 100%= certain answer is to be able to decrypt the session traffic. (b) connect to the remote network port using eg. netcat (see nc(1)), telnet or 'openssl s_client' -- in the first two cases the idea would be to check that the server would not permit an unencrypted session; for the= last case the idea is to check that the connection does handle presenting= keys and certs correctly. Obviously this will depend on knowledge of how your= =20 particular communications protocol works. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig76D8EC32AA487F9CD2B2F08E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkpUqmUACgkQ8Mjk52CukIzCzACfTCDwOzTGKRnRUcIvilIraM31 HAwAn0tczBfkC1EQKwhK60xnVHedrHVE =G/JA -----END PGP SIGNATURE----- --------------enig76D8EC32AA487F9CD2B2F08E--