Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 08 Jul 2009 15:17:02 +0100
From:      Matthew Seaman <>
To:        Daniel Underwood <>
Subject:   Re: Network traffic monitoring: BSD monitor & verifying encryption
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Daniel Underwood wrote:
> Hi folks:
> (1) I'm only used Wireshark and Ethereal to inspect network traffic,
> and I've only used these on several occasion.  Would someone suggest
> FreeBSD alternatives (console or xserver based?

wireshark, formerly known as ethereal works just fine on FreeBSD.  If you=

want a console based variant, there's tshark, which is just wireshark wit=
X11 support.  All in the ports: net/wireshark, net/tshark

As mentioned elsewhere, you can use tcpdump (bundled with the system) to
capture traffic that you can later feed into wireshark for analysis.  Han=
hint: be aware that tcpdump generally only captures the packet headers an=
not the full packet content.  To capture everything add '-s 0' to the tcp=
command line.

> (2) I'm testing my connection to a remote server.  The connection is
> supposed to be encrypted. What's the easiest way to verify that the
> data is in fact being encrypted?  I don't care to validate the
> encryption itself; I trust that it is working properly, if it's
> working at all.  I just want to know what, if anything, I can look for
> in the traffic that will indicate encryption (e.g., is the initiation
> of key-exchanges easy to locate?).

There are two possibilities:

(a) capture session traffic over the wire and from that demonstrate the
traffic is encrypted.  Unless the plaintext is obviously ascii or otherwi=
readily identifiable, this might be a bit tricky.  Probably the only 100%=

certain answer is to be able to decrypt the session traffic.

(b) connect to the remote network port using eg. netcat (see nc(1)),
telnet or 'openssl s_client' -- in the first two cases the idea would be
to check that the server would not permit an unencrypted session; for the=

last case the idea is to check that the connection does handle presenting=
and certs correctly.  Obviously this will depend on knowledge of how your=
particular communications protocol works.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
                                                  Kent, CT11 9PW

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v2.0.12 (FreeBSD)
Comment: Using GnuPG with Mozilla -



Want to link to this message? Use this URL: <>