On Thu, 24 May 2012, Axel wrote: > You can use tcpdump and wireshark to check the tcp and ssl handshake.
as axel says, this is the best way to be *sure* it's happening under cover of SSL. in case you want to see it done, here's one happening under SSL: [user@www ~]$ sudo tcpdump -n -n -A port 5666 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:23:11.568787 IP 78.31.111.49.45411 > 193.219.118.100.5666: S 1958463879:1958463879(0) win 14600 <mss 1460,sackOK,timestamp 318187570 0,nop,wscale 5> E..<[email protected]."t.........9..w......... ..(2........ 10:23:11.568816 IP 193.219.118.100.5666 > 78.31.111.49.45411: S 4064423968:4064423968(0) ack 1958463880 win 5792 <mss 1460,sackOK,timestamp 3184336621 318187570,nop,wscale 7> E..<..@[email protected],..vdN.o1.".c.B0 t.................. ......(2.... 10:23:11.574693 IP 78.31.111.49.45411 > 193.219.118.100.5666: . ack 1 win 457 <nop,nop,timestamp 318187571 3184336621> [email protected]}N.o1..vd.c."t....B0!....?Q..... ..(3.... 10:23:11.575019 IP 78.31.111.49.45411 > 193.219.118.100.5666: P 1:78(77) ack 1 win 457 <nop,nop,timestamp 318187571 3184336621> [email protected]/N.o1..vd.c."t....B0!........... ..(3........H...D..O.OH...`+.%.Kp.gOG. 10:23:11.575036 IP 193.219.118.100.5666 > 78.31.111.49.45411: . ack 78 win 46 <nop,nop,timestamp 3184336628 318187571> E..4..@[email protected].".c.B0!t.......@...... ......(3 10:23:11.576362 IP 193.219.118.100.5666 > 78.31.111.49.45411: P 1:240(239) ack 78 win 46 <nop,nop,timestamp 3184336629 318187571> E..#..@[email protected].".c.B0!t.......z9..... ......(3....Q...M..O.O.f...F..Xc:..3h~ 10:23:11.581549 IP 78.31.111.49.45411 > 193.219.118.100.5666: . ack 240 win 490 <nop,nop,timestamp 318187572 3184336629> [email protected]{N.o1..vd.c."t....B1.....=...... ..(4.... as you can see, the ASCII-rendered contents look like gibberish. here's one *not* happening under SSL: [user@www ~]$ sudo tcpdump -n -n -A port 5666 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:27:50.403064 IP 78.31.111.49.45449 > 193.219.118.100.5666: S 2022207245:2022207245(0) win 14600 <mss 1460,sackOK,timestamp 318215453 0,nop,wscale 5> ......9............d..."x.o ............ 10:27:50.403095 IP 193.219.118.100.5666 > 78.31.111.49.45449: S 1624596014:1624596014(0) ack 2022207246 win 5792 <mss 1460,sackOK,timestamp 3184615495 318215453,nop,wscale 7> E..<..@[email protected],..vdN.o1."..`.^.x.o......L......... ..`G........ 10:27:50.408395 IP 78.31.111.49.45449 > 193.219.118.100.5666: . ack 1 win 457 <nop,nop,timestamp 318215454 3184615495> [email protected]"N.o1..vd..."x.o.`.^/....J...... ......`G 10:27:50.409395 IP 78.31.111.49.45449 > 193.219.118.100.5666: P 1:1037(1036) ack 1 win 457 <nop,nop,timestamp 318215454 3184615495> E..@[email protected]..."x.o.`.^/....:...... ......`G........i7check_mysql......... 10:27:50.410281 IP 193.219.118.100.5666 > 78.31.111.49.45449: . ack 1037 win 62 <nop,nop,timestamp 3184615502 318215454> E..4>b@[email protected]."..`.^/x.s....>Hf..... ..`N.... 10:27:50.427262 IP 193.219.118.100.5666 > 78.31.111.49.45449: P 1:1037(1036) ack 1037 win 62 <nop,nop,timestamp 3184615519 318215454> E..@>c@[email protected]."..`.^/x.s....>^...... ..`_........d=.d..QUERY OK: 'select * note the name of the check (check_mysql) and the result (QUERY OK...) being passed back in plaintext. -- Tom Yates - http://www.teaparty.net ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Nagios-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
