T-like utility for sniffing/logging TCP connections

mathteacher · #1 19th August 2010, 01:10 AM

I need a utility to record the traffic on a particular TCP port. I know there are packet sniffers that can do this, but I don't need to monitors the wire, just the traffic to and from my own computer. I would assume there is something out there that can hook into the TCP stack and copy the data to a file just before/after it goes out/in, but my google fu has failed me.

Thanks.

Edit: NVM - Found tcpdump

nick.stumpos · #2 19th August 2010, 03:55 AM

Tcpdump you can just get you nice or the wire also for GUI wireshark can filter on on ip

mathteacher · #3 21st August 2010, 02:32 PM

OK, new question. tcpdump and wireshark were good finds, but the stream I'm trying to look at is SSL, and I need to see the application data. I don't have the server's private key, so ssldump is not an option. I know that if over the wire snooping on SSL communications were easy, it would be useless, but that's not really what I need. I just need to be able to look at the traffic coming in and out of my computer. What I really need is some way to hook into the TCP library and log traffic before it hits the SSL layer, maybe via a LD_PRELOAD or similar. Does anyone know of a way to do this?

Thanks,
Jay

jpollard · #4 21st August 2010, 02:48 PM

Sorry, no such thing.

The SSL library is built into the application, specifically to prevent this.

What you would have to do is compile your own version of sshd, and tap into
the data AFTER it has been decrypted, or (harder actually) bug the ssh client,
but then the output data would be owned by the user...

NOTE: This can be highly illegal depending on your environment (as in your own
personal system).

In any organizational environment (and especially government) this should ONLY
be done during an investigation and with legal authority - get a memo of
investigation and approval of the security officer and your supervisor.

There is an additional problem - ssh allows "tunneling" of other socket connections
over an ssl TCP connection. If you dump all traffic, you could easily run out of space,
second, you would have to preserve any stream tags. Remember, at a minimum you
could be tunnelling the forwarded X window protocol to one or more windows. Also
if the user has sshfs installed, you get TONS of data from file I/O, directory information,
all of it binary.

Without more information on what you are trying to do, I doubt we will be able to help.

mathteacher · #5 21st August 2010, 04:02 PM

Okay, thanks for the info. I can perhaps do what I need to through judicious use of a debugger.

For the record, the only snooping/tampering I intend is on the data in and out my own personal computer.

jpollard · #6 22nd August 2010, 12:30 AM

debugger won't help - It cannot decode the embedded data streams, nor will it
easily handle the buffering - you will see multiplexed data (keys/data/headers
but no identification of what the data is.

Keystrokes, for instance, show up as 1 to about 6 bytes (the data) but then
you add the headers, multiplexing flags, and any other data (it packs the data)
which is then compressed prior encryption and transmission.

stevea · #7 22nd August 2010, 02:05 AM

Yeah well - some solid misinformation here. ssh does NOT use SSL - tho' it can use many of the same crypto libraries.
ssh/sshd do crypto in the application layer while SSL and it's younger sibling TLS do crypto in the stack.

As said, you can't crack any of the common FIPS crypto without the key, or elseZ a stack of mathematicians, supercomputers and time.

Anyway ?ARE? you trying t decrypt your ssh channel - or is it some other ssl/tls channel ?