WebApp Sec mailing list archives

RE: Https sniffer

From: "Asaf Wexler" <Asaf.Wexler () breach com>
Date: Wed, 20 Jul 2005 05:56:47 -0400

Hi Kashmira,

I assume what you are asking for is the ability to *decrypt* the SSL
traffic, in addition to the ability to sniff in promiscuous mode.

All network sniffers today sniff in promiscuous mode, regardless of the
traffic type (http,https,etc.). However, almost none of them can do a
good job (if at all) in decrypting SSL traffic (given the server private
key, of course).

<Marketing Plug>

If you are looking for commercial solutions and not only open source
solutions, you can take a look at BreachView SSL (which I was
responsible for implementing).
BreachView SSL is a passive SSL decryption engine that can work with any
network sniffer (or NIDS), and it will feed the sniffer of your choice
with a stream of decrypted TCP packets.

</Marketing Plug>


HTH,
Asaf Wexler, Project Manager, R&D
Breach Security, Inc.

-----Original Message-----
From: Lyal Collins [mailto:lyal.collins () key2it com au] 
Sent: Wednesday, July 20, 2005 11:52 AM
To: 'Hugo Fortier'; 'Phalak, Kashmira Vijay'
Cc: vuln-dev () securityfocus com; webappsec () securityfocus com
Subject: RE: Https sniffer

I've tried ssldump recently but only obtained decrypts with a very
restricted set of SSL parameters - RSA and 3DES in my case.
I don't have the coding skills to approach this in order to resolve the
issues either, sorry.
Your mileage may vary...

Lyal


-----Original Message-----
From: Hugo Fortier [mailto:hfortier () recon cx] 
Sent: Wednesday, 20 July 2005 1:22 PM
To: Phalak, Kashmira Vijay
Cc: vuln-dev () securityfocus com; webappsec () securityfocus com
Subject: Re: Https sniffer


Hi Kashmira,

There is ssldump, it's not a HTTP Analyser but a SSL analyser you can  
find it at http://www.rtfm.com/ssldump/. ssldump will decrypt the  
data if provided with the good private key.

Hugo

On 19-Jul-05, at 8:58 PM, Phalak, Kashmira Vijay wrote:

Hi All,

Does anybody know a good https sniffer which can sniff in promiscuous 
mode? I tried HTTP Analyzer and it works great, but it does not have 
support for promiscuous mode.

Thanks,
Kashmira.

Current thread:

Https sniffer Phalak, Kashmira Vijay (Jul 19)
- Re: Https sniffer Hugo Fortier (Jul 19)
  - RE: Https sniffer Lyal Collins (Jul 20)
- Re: Https sniffer Garth Somerville (Jul 20)
- <Possible follow-ups>
- RE: Https sniffer Asaf Wexler (Jul 20)
- RE: Https sniffer Phalak, Kashmira Vijay (Jul 20)
  - RE: Https sniffer Garth Somerville (Jul 21)
  - Re: Https sniffer Rogan Dawes (Jul 21)
  - Re: Https sniffer Achim Hoffmann (Jul 21)
- RE: Https sniffer Erick Lee (Jul 21)
- RE: Https sniffer Phalak, Kashmira Vijay (Jul 21)