Network traffic monitoring: BSD monitor & verifying encryption
steve at ibctech.ca
Wed Jul 8 13:47:34 UTC 2009
Daniel Underwood wrote:
> Hi folks:
> (1) I'm only used Wireshark and Ethereal to inspect network traffic,
> and I've only used these on several occasion. Would someone suggest
> FreeBSD alternatives (console or xserver based?
tcpdump(1). It can save to a pcap file for later review within Wireshark
> (2) I'm testing my connection to a remote server. The connection is
> supposed to be encrypted. What's the easiest way to verify that the
> data is in fact being encrypted? I don't care to validate the
> encryption itself; I trust that it is working properly, if it's
> working at all. I just want to know what, if anything, I can look for
> in the traffic that will indicate encryption (e.g., is the initiation
> of key-exchanges easy to locate?).
It depends on the traffic type, and the protocol.
When in doubt, you could always capture the entire packet, dump them
into a file, and then review the data to ensure it isn't in plaintext:
# tcpdump -n -i em5 -s 0 -w /var/log/cap.pcap host x.x.x.x and port xxxx
Then you can read it back in with tcpdump later, or scp the file to a
GUI based workstation and view it in Wireshark (which is my preference).
Wireshark displaying SSH traffic will for instance tell you straight-up
in the Info field that the packet is "Encrypted response packet
len=xxx". It does the same for IPSec etc.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090708/eed7eeac/smime.bin
More information about the freebsd-questions