Network traffic monitoring: BSD monitor verifying encryption
Hi folks: (1) I'm only used Wireshark and Ethereal to inspect network traffic, and I've only used these on several occasion. Would someone suggest FreeBSD alternatives (console or xserver based? (2) I'm testing my connection to a remote server. The connection is supposed to be encrypted. What's the easiest way to verify that the data is in fact being encrypted? I don't care to validate the encryption itself; I trust that it is working properly, if it's working at all. I just want to know what, if anything, I can look for in the traffic that will indicate encryption (e.g., is the initiation of key-exchanges easy to locate?). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Network traffic monitoring: BSD monitor verifying encryption
Daniel Underwood wrote: Hi folks: (1) I'm only used Wireshark and Ethereal to inspect network traffic, and I've only used these on several occasion. Would someone suggest FreeBSD alternatives (console or xserver based? tcpdump(1). It can save to a pcap file for later review within Wireshark if required. (2) I'm testing my connection to a remote server. The connection is supposed to be encrypted. What's the easiest way to verify that the data is in fact being encrypted? I don't care to validate the encryption itself; I trust that it is working properly, if it's working at all. I just want to know what, if anything, I can look for in the traffic that will indicate encryption (e.g., is the initiation of key-exchanges easy to locate?). It depends on the traffic type, and the protocol. When in doubt, you could always capture the entire packet, dump them into a file, and then review the data to ensure it isn't in plaintext: # tcpdump -n -i em5 -s 0 -w /var/log/cap.pcap host x.x.x.x and port Then you can read it back in with tcpdump later, or scp the file to a GUI based workstation and view it in Wireshark (which is my preference). Wireshark displaying SSH traffic will for instance tell you straight-up in the Info field that the packet is Encrypted response packet len=xxx. It does the same for IPSec etc. Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: Network traffic monitoring: BSD monitor verifying encryption
Daniel Underwood wrote: Hi folks: (1) I'm only used Wireshark and Ethereal to inspect network traffic, and I've only used these on several occasion. Would someone suggest FreeBSD alternatives (console or xserver based? wireshark, formerly known as ethereal works just fine on FreeBSD. If you want a console based variant, there's tshark, which is just wireshark without X11 support. All in the ports: net/wireshark, net/tshark As mentioned elsewhere, you can use tcpdump (bundled with the system) to capture traffic that you can later feed into wireshark for analysis. Handy hint: be aware that tcpdump generally only captures the packet headers and not the full packet content. To capture everything add '-s 0' to the tcpdump command line. (2) I'm testing my connection to a remote server. The connection is supposed to be encrypted. What's the easiest way to verify that the data is in fact being encrypted? I don't care to validate the encryption itself; I trust that it is working properly, if it's working at all. I just want to know what, if anything, I can look for in the traffic that will indicate encryption (e.g., is the initiation of key-exchanges easy to locate?). There are two possibilities: (a) capture session traffic over the wire and from that demonstrate the traffic is encrypted. Unless the plaintext is obviously ascii or otherwise readily identifiable, this might be a bit tricky. Probably the only 100% certain answer is to be able to decrypt the session traffic. (b) connect to the remote network port using eg. netcat (see nc(1)), telnet or 'openssl s_client' -- in the first two cases the idea would be to check that the server would not permit an unencrypted session; for the last case the idea is to check that the connection does handle presenting keys and certs correctly. Obviously this will depend on knowledge of how your particular communications protocol works. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Network traffic monitoring: BSD monitor verifying encryption
Thanks for the help. I couldn't find any flags/fields in TCP packets indicated whether encrypted (as in the case of SSH packets). There isn't any, right? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Network traffic monitoring: BSD monitor verifying encryption
Daniel Underwood wrote: Thanks for the help. I couldn't find any flags/fields in TCP packets indicated whether encrypted (as in the case of SSH packets). There isn't any, right? No. TCP (Transport Layer) knows nothing about encryption/encoding, and hence there is no room (or need) within the headers to signify those details. TCP provides reliable data transit, and really nothing more. Encryption happens higher up in the stack, and it is the responsibility of the application (or some function) to do this work. TCP provides the connection, in which you can throw any type of data you please. It does not care what type of data you put into it; it has no way of inherently finding that out. To find out the flags/configuration/techniques used by the application before it stuffs it's data into a packet, you have to read the data after it's been extracted from the packet all the way up near the application layer. Wireshark can 'dissect' each packet for numerous applications and protocols, hence it has the ability to inform you about encryption as in my previous SSH example. That is why I captured the entire packet with tcpdump (via the -s0 flag). If you don't, tcpdump will not capture enough information to decode the packet. Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: Network traffic monitoring: BSD monitor verifying encryption
Daniel Underwood wrote: Thanks for the help. I couldn't find any flags/fields in TCP packets indicated whether encrypted (as in the case of SSH packets). There isn't any, right? Correct: there isn't anything like that in the TCP headers. Encryption on TCP streams is an application level thing that only affects packet payloads. There are transport layer encryption protocols -- eg. IPSec, OpenVPN, etc. -- but those allow tunnelling TCP streams through them and aren't necessarily TCP themselves. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
