Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 08 Jul 2009 15:17:02 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Daniel Underwood <djuatdelta@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Network traffic monitoring: BSD monitor & verifying encryption
Message-ID:  <4A54AA5E.80706@infracaninophile.co.uk>
In-Reply-To: <b6c05a470907080615l1e674e07xfda169c75dfd9f59@mail.gmail.com>
References:  <b6c05a470907080615l1e674e07xfda169c75dfd9f59@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig76D8EC32AA487F9CD2B2F08E
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Daniel Underwood wrote:
> Hi folks:
>=20
> (1) I'm only used Wireshark and Ethereal to inspect network traffic,
> and I've only used these on several occasion.  Would someone suggest
> FreeBSD alternatives (console or xserver based?

wireshark, formerly known as ethereal works just fine on FreeBSD.  If you=

want a console based variant, there's tshark, which is just wireshark wit=
hout
X11 support.  All in the ports: net/wireshark, net/tshark

As mentioned elsewhere, you can use tcpdump (bundled with the system) to
capture traffic that you can later feed into wireshark for analysis.  Han=
dy
hint: be aware that tcpdump generally only captures the packet headers an=
d
not the full packet content.  To capture everything add '-s 0' to the tcp=
dump
command line.

> (2) I'm testing my connection to a remote server.  The connection is
> supposed to be encrypted. What's the easiest way to verify that the
> data is in fact being encrypted?  I don't care to validate the
> encryption itself; I trust that it is working properly, if it's
> working at all.  I just want to know what, if anything, I can look for
> in the traffic that will indicate encryption (e.g., is the initiation
> of key-exchanges easy to locate?).

There are two possibilities:

(a) capture session traffic over the wire and from that demonstrate the
traffic is encrypted.  Unless the plaintext is obviously ascii or otherwi=
se
readily identifiable, this might be a bit tricky.  Probably the only 100%=

certain answer is to be able to decrypt the session traffic.

(b) connect to the remote network port using eg. netcat (see nc(1)),
telnet or 'openssl s_client' -- in the first two cases the idea would be
to check that the server would not permit an unencrypted session; for the=

last case the idea is to check that the connection does handle presenting=
 keys
and certs correctly.  Obviously this will depend on knowledge of how your=
=20
particular communications protocol works.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig76D8EC32AA487F9CD2B2F08E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkpUqmUACgkQ8Mjk52CukIzCzACfTCDwOzTGKRnRUcIvilIraM31
HAwAn0tczBfkC1EQKwhK60xnVHedrHVE
=G/JA
-----END PGP SIGNATURE-----

--------------enig76D8EC32AA487F9CD2B2F08E--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4A54AA5E.80706>