9:08 a.m.
Hi.
Trying to wrap my head around what I need to setup on a test system to
be able to capture/view (in a file or via app output) the https
traffic. My use case I have a test app talking to a remote server on
"https" and I want to be able to see what the traffic flow is in terms
of get/post cmds...
I see different sites/articles on the need to setup a proxy
server/certs and to then install/insert the cert in the "browser"
location. In my case I'm using a test headless browser, so I'm trying
to get a basic model of how this can work.
So, if anyone has insight/pointers feel free to share!!
thanks
11:33 a.m.
On Fri, 2018-07-13 at 10:08 -0400, bruce wrote:
Hi.
Trying to wrap my head around what I need to setup on a test system
to
be able to capture/view (in a file or via app output) the https
traffic. My use case I have a test app talking to a remote server on
"https" and I want to be able to see what the traffic flow is in
terms
of get/post cmds...
I see different sites/articles on the need to setup a proxy
server/certs and to then install/insert the cert in the "browser"
location. In my case I'm using a test headless browser, so I'm trying
to get a basic model of how this can work.
So, if anyone has insight/pointers feel free to share!!
thanks
_______________________________________________
users mailing list -- users(a)lists.fedoraproject.org
To unsubscribe send an email to users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelin
es
List Archives: https://lists.fedoraproject.org/archives/list/users@li
sts.fedoraproject.org/message/UQPWHPKIWOIHMNJX3VQ245AKLEJ2SBER/
You might like to
check this out:
http://blamethenetwork.com/netpi-raspberry-pi-network-analyzer/
11:33 a.m.
On 07/13/2018 07:08 AM, bruce wrote:
Hi.
Trying to wrap my head around what I need to setup on a test system to
be able to capture/view (in a file or via app output) the https
traffic. My use case I have a test app talking to a remote server on
"https" and I want to be able to see what the traffic flow is in terms
of get/post cmds...
I see different sites/articles on the need to setup a proxy
server/certs and to then install/insert the cert in the "browser"
location. In my case I'm using a test headless browser, so I'm trying
to get a basic model of how this can work.
So, if anyone has insight/pointers feel free to share!!
If the browser is Linux-based, use tcpdump to capture all of the traffic
between the browser and server and save it to a file. Run this in a
separate CLI window on the browser machine as root:
tcpdump -i any -vvv -w <save-file> host <name-of-server>
Once you've captured all the traffic, copy <save-file> to a machine
with a GUI and use wireshark-gtk to analyze the file:
wireshark-gtk -r <save-file>
Pretty standard fare.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks(a)alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- Programmers often confuse Halloween and Christmas. -
- After all, 31 Oct is the same as 25 Dec! -
----------------------------------------------------------------------
1:12 p.m.
On 13.07.2018 18:33, Rick Stevens wrote:
On 07/13/2018 07:08 AM, bruce wrote:
> Trying to wrap my head around what I need to setup on a test
system to
> be able to capture/view (in a file or via app output) the https
> traffic. My use case I have a test app talking to a remote server on
> "https" and I want to be able to see what the traffic flow is in terms
> of get/post cmds...
>
> I see different sites/articles on the need to setup a proxy
> server/certs and to then install/insert the cert in the "browser"
> location. In my case I'm using a test headless browser, so I'm trying
> to get a basic model of how this can work.
>
> So, if anyone has insight/pointers feel free to share!!
If the browser is Linux-based, use tcpdump to capture all of the traffic
between the browser and server and save it to a file. Run this in a
separate CLI window on the browser machine as root:
The OP want to look into TLS encrypted traffic. tcpdump will not help in
this case. There is no way around to use a special proxy in between and
place a custom CA into the client.
best regards
Ulf
3:37 p.m.
On 07/13/2018 11:12 AM, Ulf Volmer wrote:
The OP want to look into TLS encrypted traffic. tcpdump will not help in
this case. There is no way around to use a special proxy in between and
place a custom CA into the client.
It's complex, but not impossible. Firefox, for example, can log the
session keys, and those can be used in conjunction with a pcap file for
analysis:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
Although, if Firefox is the "headless browser" that you're using, you
can just log the HTTP traffic:
https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging
Firefox makes an excellent test client, in general:
https://firefox-source-docs.mozilla.org/testing/marionette/doc/marionette...
http://marionette-client.readthedocs.io/en/latest/interactive.html
4:30 p.m.
On 13.07.2018 22:37, Gordon Messmer wrote:
On 07/13/2018 11:12 AM, Ulf Volmer wrote:
>
> The OP want to look into TLS encrypted traffic. tcpdump will not help in
> this case. There is no way around to use a special proxy in between and
> place a custom CA into the client.
It's complex, but not impossible. Firefox, for example, can log the
session keys, and those can be used in conjunction with a pcap file for
analysis:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
Thanks for the links. BTW: looks like that this feature is disabled in
the fedora firefox version. But work with the version from mozilla.org.
best regards
Ulf
1:07 p.m.
On 07/13/2018 07:08 AM, bruce wrote:
I see different sites/articles on the need to setup a proxy
server/certs and to then install/insert the cert in the "browser"
location. In my case I'm using a test headless browser, so I'm trying
to get a basic model of how this can work.
Encryption algorithms with PFS are gaining more widespread use, and
those make passive decryption of traffic more difficult. That's why
most of the advice you see on this topic right now involves the use of a
proxy server that terminates the TLS connection and relays the
requests. (BTW, this is not the "normal" mode of operation for a proxy
server, which simply passes-through the encrypted connection).
I don't have any such systems in operation, but I think this one does
what you want to do:
https://mitmproxy.org/
5:34 p.m.
Hi.
Am Freitag, den 13.07.2018, 10:08 -0400 schrieb bruce:
Hi.
Trying to wrap my head around what I need to setup on a test system
to
be able to capture/view (in a file or via app output) the https
traffic. My use case I have a test app talking to a remote server on
"https" and I want to be able to see what the traffic flow is in
terms
of get/post cmds...
Are you trying to reverse enginiier an application? That's nasty, bad
boy. ;-)
To answer your question. Squid can do this for you. You can make it
decrypt the data end encrypt it with a certificate issued by yourself.
AFAIK you should even be able to let squid log what happens on the
https connection.
It should also be possible to use Apache as a reverse proxy to do the
same. Probably even without the need to encrypt the connection on "your
side".
I was never in need to do this myself, but I think I remember docs
telling about the possibility to "abuse" both services for this case.
Remember to import your cert, or CA into the test app, otherwise it
should complain and deny using the connection.
Regards,
Dirk
--
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350
7:58 p.m.
On 07/14/2018 03:34 PM, Dirk Gottschalk via users wrote:
To answer your question. Squid can do this for you. You can make it
decrypt the data end encrypt it with a certificate issued by yourself.
AFAIK you should even be able to let squid log what happens on the
https connection.
It should also be possible to use Apache as a reverse proxy to do the
same. Probably even without the need to encrypt the connection on "your
side".
I think this is the right document for Squid:
https://wiki.squid-cache.org/Features/SslPeekAndSplice
I don't see any document describing a similar feature in Apache. The
normal mode of operation for proxy servers is to tunnel the TLS
connection, so a standard HTTP proxy won't be able to inspect encrypted
connections.
2106
days inactive
2108
days old
8 comments
6 participants
participants (6)
-
bruce -
Dirk Gottschalk -
Gordon Messmer -
Howard Howell -
Rick Stevens -
Ulf Volmer