Network traffic monitoring: BSD monitor & verifying encryption

Steve Bertrand steve at
Wed Jul 8 13:47:34 UTC 2009

Daniel Underwood wrote:
> Hi folks:
> (1) I'm only used Wireshark and Ethereal to inspect network traffic,
> and I've only used these on several occasion.  Would someone suggest
> FreeBSD alternatives (console or xserver based?

tcpdump(1). It can save to a pcap file for later review within Wireshark
if required.

> (2) I'm testing my connection to a remote server.  The connection is
> supposed to be encrypted. What's the easiest way to verify that the
> data is in fact being encrypted?  I don't care to validate the
> encryption itself; I trust that it is working properly, if it's
> working at all.  I just want to know what, if anything, I can look for
> in the traffic that will indicate encryption (e.g., is the initiation
> of key-exchanges easy to locate?).

It depends on the traffic type, and the protocol.

When in doubt, you could always capture the entire packet, dump them
into a file, and then review the data to ensure it isn't in plaintext:

# tcpdump -n -i em5 -s 0 -w /var/log/cap.pcap host x.x.x.x and port xxxx

Then you can read it back in with tcpdump later, or scp the file to a
GUI based workstation and view it in Wireshark (which is my preference).

Wireshark displaying SSH traffic will for instance tell you straight-up
in the Info field that the packet is "Encrypted response packet
len=xxx". It does the same for IPSec etc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the freebsd-questions mailing list