Today I had some “low-level fun” @ the office: a colleague asked me a proof of the security of the traffic to its (https) site.
I suggested him to use WireShark to do this kind of test but I had my SLAX VM opened and ready! =)
I opened two consoles..the whole test is just two commands! The first one was to sniff into the network traffic, the latter to emulate a browser making GET requests.
One note: I was behind a proxy (10.10.0.1:3456 …this is fake if you’re wondering), so I needed to tell the OS where to redirect my HTTP/HTTPS traffic:
export http_proxy=10.10.0.1:3456 export https_proxy=10.10.0.1:3456
Now that I’m proxed I can listen all the TCP traffic over the port 3456, including request and response headers and message body.
I used tcpdump
tcpdump -A -s 0 'tcp port 3456 and (((ip[2:2] - ((ip&0xf)<>2)) != 0)'
(Thx to jimmyxu101 for the filter syntax)
To emulate a GET request I used wget.
wget -S -O - http://www.google.com
This kind of call uses the port 80 (see the HTTP protocol). It will dump the result of the call to stdout.
To make the GET over HTTPS (443):
wget --no-check-certificate -S -O - https://www.google.com
Also this command will dump the result to stdout.
Voilà…on the wget terminal I can see all the traffic in clear (as my browser does) while on the tcpdump terminal I can read clearly ONLY the :80 traffic.