Network traffic monitoring: BSD monitor & verifying encryption

Steve Bertrand steve at
Wed Jul 8 15:02:10 UTC 2009

Daniel Underwood wrote:
> Thanks for the help.
> I couldn't find any flags/fields in TCP packets indicated whether
> encrypted (as in the case of SSH packets).  There isn't any, right?

No. TCP (Transport Layer) knows nothing about encryption/encoding, and
hence there is no room (or need) within the headers to signify those
details. TCP provides reliable data transit, and really nothing more.

Encryption happens higher up in the stack, and it is the responsibility
of the application (or some function) to do this work.

TCP provides the connection, in which you can throw any type of data you
please. It does not care what type of data you put into it; it has no
way of inherently finding that out.

To find out the flags/configuration/techniques used by the application
before it stuffs it's data into a packet, you have to read the data
after it's been extracted from the packet all the way up near the
application layer.

Wireshark can 'dissect' each packet for numerous applications and
protocols, hence it has the ability to inform you about encryption as in
my previous SSH example.

That is why I captured the entire packet with tcpdump (via the -s0
flag). If you don't, tcpdump will not capture enough information to
decode the packet.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the freebsd-questions mailing list