OSNZ — Useful tricks #1

Useful tricks #1

I was building an LDAP authentication host a few days ago and was setting up SSL to enable TLS support. One of the tricks with TLS is that because it runs over the same port as non-TLS traffic, it can be tricky to tell if it’s actually being used. TCPDump by itself won’t neccessarily be enough to be sure that your LDAP session is being encrypted.

To be certain I wanted to see the results of my configuration changes in Wireshark, but shipping dumps back from the server to my laptop each time I did a test was annoying. What I needed was live capture into Wireshark.

Here’s how you do it:

Looks simple, and it is once you get your head around it. Basically we’re using NetCat (nc) at each end of a SSH tunnel to get traffic from STDOUT of TCPDump to STDIN of Wireshark.

At the server end you want TCPDump to capture full size (actually this parts optional), raw packets (in this case TCP port 389 on eth0) and send them to STDOUT and pipe them to NC in listener mode (in this case, listening on port 31337):

tcpdump -s 1500 -w - -i eth0 tcp port 389 | nc -l -p 31337

Now we make a new SSH session from our local machine, with a tunnel configured through to that listener:

ssh user@remote-server -L 31337:localhost:31337

If you haven’t seen ’-L’ before, the format is LocalPort:RemoteHost:RemotePort. The RemoteHost address is as seen by the remote-server, in this case we want to connect to the listener we’ve just set up on remote-server itself, so we connect to “localhost”. The LocalPort specifies which local port on my local machine the tunnel is exposed as, in this case I’m using the same 31337 but it could be anything.

Finally we use NetCat again to connect to the tunnel and output the data that comes from it to STDOUT, which we pipe to Wireshark:

nc localhost 31337 | wireshark -k -i -

Note that the “localhost” this time is our local machine, we’re connecting to the port SSH has exposed. Wireshark is told to read its packet data from STDIN with “-i -”

And that’s that. Any packets that tcpdump captures will immediately appear in your local wireshark which makes diagnosing application layer issues a doddle.

Luke.