Re: [PLUG] tcpdump whiz?

2016-02-25 Thread Michael Rasmussen 

I may be able to wrangle an agreement to install ssldump. 
Life will be easier if I can get it done with tcpdump.

The goal is to capture the SSL handshake packets and then 
check for which devices are not using approved cipher suites.

A make my life really easy solution would spit out the IP address
of the sever and the cipher suite agreed on with the client.

Though in our case both entities are servers or load balancers,
it's not client in the end user sense.


On Thu, Feb 25, 2016 at 07:43:56PM -0800, Martin A. Brown wrote:
> 
> Hi there,
> 
> >I have a group of systems that I need to monitor for use of 
> >approved SSL cipher suites. Wireshark is not available on them. 
> >tcpdump is the tool I need to use.
> 
> >Do you know, or know someone who would know, how to contruct a 
> >tcpdump filter that matches only packets for the SSL handshake?
> >
> >Due to the volume of traffic on the systems I cannot capture 
> >everything and filter later.
> >
> >The most useful hint found so far is at: 
> >http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter
> 
> I'll take a stab at your question from a slightly different angle.  
> 
> Rather than trying to get the BPF just right for something that is a 
> few layers higher in the stack (and requires some stream 
> reassembly logic), perhaps you could try a tool that operates on the 
> stream.
> 
> I know you mentioned that wireshark was not available.  Are you able 
> to install software on these systems?  If so, then you may find that 
> the ssldump program [0] provides you output detail that is closer to 
> your desired question.
> 
> I have never used ssldump in production, but it seems a handy little 
> tool:
> 
>   ssldump  -i "${INTERFACE}" -P
> 
> The -i specifies interface.  The -P says, don't get promiscuous. 
> Hopefully it is in your upstream distribution.  I find it in the 
> stock repositories for both OpenSUSE-13.2 and Ubuntu-14.04.3.
> 
> Need to capture the textual output?  Use, tee, maybe?
> 
> Die, RC4, die [1].
> 
> -Martin
> 
>  [0] http://ssldump.sourceforge.net/
>  [1] https://tools.ietf.org/html/rfc7465
> 
> -- 
> Martin A. Brown
> http://linux-ip.net/
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
> 

-- 
  Michael Rasmussen, Portland Oregon  
Be Appropriate && Follow Your Curiosity
The weak can never forgive. Forgiveness is the attribute of the strong. 
~ Mahatma Gandhi 
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] tcpdump whiz?

2016-02-25 Thread Martin A. Brown 

Hi there,

>I have a group of systems that I need to monitor for use of 
>approved SSL cipher suites. Wireshark is not available on them. 
>tcpdump is the tool I need to use.

>Do you know, or know someone who would know, how to contruct a 
>tcpdump filter that matches only packets for the SSL handshake?
>
>Due to the volume of traffic on the systems I cannot capture 
>everything and filter later.
>
>The most useful hint found so far is at: 
>http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter

I'll take a stab at your question from a slightly different angle.  

Rather than trying to get the BPF just right for something that is a 
few layers higher in the stack (and requires some stream 
reassembly logic), perhaps you could try a tool that operates on the 
stream.

I know you mentioned that wireshark was not available.  Are you able 
to install software on these systems?  If so, then you may find that 
the ssldump program [0] provides you output detail that is closer to 
your desired question.

I have never used ssldump in production, but it seems a handy little 
tool:

  ssldump  -i "${INTERFACE}" -P

The -i specifies interface.  The -P says, don't get promiscuous. 
Hopefully it is in your upstream distribution.  I find it in the 
stock repositories for both OpenSUSE-13.2 and Ubuntu-14.04.3.

Need to capture the textual output?  Use, tee, maybe?

Die, RC4, die [1].

-Martin

 [0] http://ssldump.sourceforge.net/
 [1] https://tools.ietf.org/html/rfc7465

-- 
Martin A. Brown
http://linux-ip.net/
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] tcpdump whiz?

2016-02-25 Thread Louis Kowolowski 
From the link you posted:

tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and 
(tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)

This captures the SSL handshake (0x16), and the hello (0x01). Seems reasonable 
that you could delete the expression for hello and end up with:

tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)

Does this not work?

> On Feb 25, 2016, at 6:08 PM, Michael Rasmussen  wrote:
> 
> I have a group of systems that I need to monitor for use of approved SSL 
> cipher suites.
> Wireshark is not available on them. tcpdump is the tool I need to use.
> 
> Do you know, or know someone who would know, how to contruct a tcpdump filter 
> that matches
> only packets for the SSL handshake?
> 
> Due to the volume of traffic on the systems I cannot capture everything and 
> filter later.
> 
> The most useful hint found so far is at:
> http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter
> 
> 
> 
> --
>  Michael Rasmussen, Portland Oregon
>Be Appropriate && Follow Your Curiosity
> People play badly for various reasons; the most common one is failure
> to judge what they currently produce as inadequate.
>~ Tony Pay (on a Clarinet discussion list)
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

--
Louis Kowolowskilou...@cryptomonkeys.org
Cryptomonkeys:   http://www.cryptomonkeys.com/

Making life more interesting for people since 1977



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] tcpdump whiz?

2016-02-25 Thread Michael Rasmussen 
On Thu, Feb 25, 2016 at 04:24:34PM -0800, Ishak Micheil wrote:
> Jim Hassing knows.
No he doesn't. We've already chatted about it.

For those of you scratching your heads over that exchange, Jim, Ishak, and I 
share a common employer.


> On Feb 25, 2016 16:11, "Michael Rasmussen"  wrote:
> 
> > I have a group of systems that I need to monitor for use of approved SSL
> > cipher suites.
> > Wireshark is not available on them. tcpdump is the tool I need to use.
> >
> > Do you know, or know someone who would know, how to contruct a tcpdump
> > filter that matches
> > only packets for the SSL handshake?
> >
> > Due to the volume of traffic on the systems I cannot capture everything
> > and filter later.
> >
> > The most useful hint found so far is at:
> >
> > http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter
> >
> >
> >
> > --
> >   Michael Rasmussen, Portland Oregon
> > Be Appropriate && Follow Your Curiosity
> > People play badly for various reasons; the most common one is failure
> > to judge what they currently produce as inadequate.
> > ~ Tony Pay (on a Clarinet discussion list)
> > ___
> > PLUG mailing list
> > PLUG@lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
> 

-- 
  Michael Rasmussen, Portland Oregon  
Be Appropriate && Follow Your Curiosity
Too often we enjoy the comfort of opinion without the discomfort of thought.
~ John F. Kennedy
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug