Date: Wed, 08 Jul 2009 15:17:02 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Daniel Underwood <djuatdelta@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Network traffic monitoring: BSD monitor & verifying encryption Message-ID: <4A54AA5E.80706@infracaninophile.co.uk> In-Reply-To: <b6c05a470907080615l1e674e07xfda169c75dfd9f59@mail.gmail.com> References: <b6c05a470907080615l1e674e07xfda169c75dfd9f59@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig76D8EC32AA487F9CD2B2F08E Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Daniel Underwood wrote: > Hi folks: >=20 > (1) I'm only used Wireshark and Ethereal to inspect network traffic, > and I've only used these on several occasion. Would someone suggest > FreeBSD alternatives (console or xserver based? wireshark, formerly known as ethereal works just fine on FreeBSD. If you= want a console based variant, there's tshark, which is just wireshark wit= hout X11 support. All in the ports: net/wireshark, net/tshark As mentioned elsewhere, you can use tcpdump (bundled with the system) to capture traffic that you can later feed into wireshark for analysis. Han= dy hint: be aware that tcpdump generally only captures the packet headers an= d not the full packet content. To capture everything add '-s 0' to the tcp= dump command line. > (2) I'm testing my connection to a remote server. The connection is > supposed to be encrypted. What's the easiest way to verify that the > data is in fact being encrypted? I don't care to validate the > encryption itself; I trust that it is working properly, if it's > working at all. I just want to know what, if anything, I can look for > in the traffic that will indicate encryption (e.g., is the initiation > of key-exchanges easy to locate?). There are two possibilities: (a) capture session traffic over the wire and from that demonstrate the traffic is encrypted. Unless the plaintext is obviously ascii or otherwi= se readily identifiable, this might be a bit tricky. Probably the only 100%= certain answer is to be able to decrypt the session traffic. (b) connect to the remote network port using eg. netcat (see nc(1)), telnet or 'openssl s_client' -- in the first two cases the idea would be to check that the server would not permit an unencrypted session; for the= last case the idea is to check that the connection does handle presenting= keys and certs correctly. Obviously this will depend on knowledge of how your= =20 particular communications protocol works. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig76D8EC32AA487F9CD2B2F08E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkpUqmUACgkQ8Mjk52CukIzCzACfTCDwOzTGKRnRUcIvilIraM31 HAwAn0tczBfkC1EQKwhK60xnVHedrHVE =G/JA -----END PGP SIGNATURE----- --------------enig76D8EC32AA487F9CD2B2F08E--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A54AA5E.80706>