Date: Wed, 08 Jul 2009 15:17:02 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Daniel Underwood <djuatdelta@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Network traffic monitoring: BSD monitor & verifying encryption Message-ID: <4A54AA5E.80706@infracaninophile.co.uk> In-Reply-To: <b6c05a470907080615l1e674e07xfda169c75dfd9f59@mail.gmail.com> References: <b6c05a470907080615l1e674e07xfda169c75dfd9f59@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig76D8EC32AA487F9CD2B2F08E
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Daniel Underwood wrote:
> Hi folks:
>=20
> (1) I'm only used Wireshark and Ethereal to inspect network traffic,
> and I've only used these on several occasion. Would someone suggest
> FreeBSD alternatives (console or xserver based?
wireshark, formerly known as ethereal works just fine on FreeBSD. If you=
want a console based variant, there's tshark, which is just wireshark wit=
hout
X11 support. All in the ports: net/wireshark, net/tshark
As mentioned elsewhere, you can use tcpdump (bundled with the system) to
capture traffic that you can later feed into wireshark for analysis. Han=
dy
hint: be aware that tcpdump generally only captures the packet headers an=
d
not the full packet content. To capture everything add '-s 0' to the tcp=
dump
command line.
> (2) I'm testing my connection to a remote server. The connection is
> supposed to be encrypted. What's the easiest way to verify that the
> data is in fact being encrypted? I don't care to validate the
> encryption itself; I trust that it is working properly, if it's
> working at all. I just want to know what, if anything, I can look for
> in the traffic that will indicate encryption (e.g., is the initiation
> of key-exchanges easy to locate?).
There are two possibilities:
(a) capture session traffic over the wire and from that demonstrate the
traffic is encrypted. Unless the plaintext is obviously ascii or otherwi=
se
readily identifiable, this might be a bit tricky. Probably the only 100%=
certain answer is to be able to decrypt the session traffic.
(b) connect to the remote network port using eg. netcat (see nc(1)),
telnet or 'openssl s_client' -- in the first two cases the idea would be
to check that the server would not permit an unencrypted session; for the=
last case the idea is to check that the connection does handle presenting=
keys
and certs correctly. Obviously this will depend on knowledge of how your=
=20
particular communications protocol works.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig76D8EC32AA487F9CD2B2F08E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkpUqmUACgkQ8Mjk52CukIzCzACfTCDwOzTGKRnRUcIvilIraM31
HAwAn0tczBfkC1EQKwhK60xnVHedrHVE
=G/JA
-----END PGP SIGNATURE-----
--------------enig76D8EC32AA487F9CD2B2F08E--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A54AA5E.80706>