[JesseHolmz]

Does anyone know of one for OS X? I know wireshark does it but I'm having an issue getting Wireshark to work. Any ideas?

[Cold Warrior]

CocoaPacketAnalyzer (CPA) and Packet Peeper sniff packets and run well on my Mac (10.5.6, MBP C2D). Both support tcpdump-compatible filters, which should help you filter for SSL (I assume you mean TCP port 443, unless you're targeting something besides https, like someone using SSL-based communications for VPN, mail, etc., which would be rare for regular users).

[JesseHolmz]

Originally Posted by Cold Warrior 

CocoaPacketAnalyzer (CPA) and Packet Peeper sniff packets and run well on my Mac (10.5.6, MBP C2D). Both support tcpdump-compatible filters, which should help you filter for SSL (I assume you mean TCP port 443, unless you're targeting something besides https, like someone using SSL-based communications for VPN, mail, etc., which would be rare for regular users).

Thanks. Where can I get a TCPDump filter for SSL? I'd just be viewing HTTPS packets. I tried doing it with CocoaPacketAnalyzer but I guess it doesn't come with the needed filter. Thanks again for the help.

[Cold Warrior]

Type the words port 443 into the filter box and it'll work.

[goMac]

I'm assuming the OP knows that the HTTPS packets won't be decrypted.

Or maybe the packet sniffers mentioned do. I just know I've never seen one that does.

(If they do, I'd be interested in knowing. I do a lot of coding work with HTTPS.)

[Big Mac]

Wouldn't having a packet sniffer that could decrypt SSH essentially defeat secured connections?

[JesseHolmz]

Originally Posted by goMac 

I'm assuming the OP knows that the HTTPS packets won't be decrypted.

Or maybe the packet sniffers mentioned do. I just know I've never seen one that does.

(If they do, I'd be interested in knowing. I do a lot of coding work with HTTPS.)

yeah that's actually what i was looking for... i was told by someone that http://www.ieinspector.com/httpanalyzer/ will do it, and according to the site, it does. However, that's for Windows as you can see. Would it be possible to run that program with Bootcamp or something? I really avoid windows unless 100% necessary so if there's a way to run that program, let me know.

[Cold Warrior]

That program says it will analyze HTTPS not crack it. Those are very different things. You are not going to be able to crack https without getting very good at active attacks.

[turtle777]

Yes, please call me once someone / some app can sniff AND crack SSH on the fly.

-t

[JesseHolmz]

Originally Posted by JesseHolmz 

yeah that's actually what i was looking for... i was told by someone that http://www.ieinspector.com/httpanalyzer/ will do it, and according to the site, it does. However, that's for Windows as you can see. Would it be possible to run that program with Bootcamp or something? I really avoid windows unless 100% necessary so if there's a way to run that program, let me know.

what do they mean by "Support HTTPS, show you unencrypted data sent over HTTPS / SSL connections as the same level of detail as HTTP." ?

[goMac]

Originally Posted by Big Mac 

Wouldn't having a packet sniffer that could decrypt SSH essentially defeat secured connections?

Well, I think the idea is if the packet sniffer was running long enough, it would be able to grab the keys, and decode the HTTPS packets...

More useful for if you're initiating the connection.

[Cold Warrior]

Originally Posted by goMac 

Well, I think the idea is if the packet sniffer was running long enough, it would be able to grab the keys, and decode the HTTPS packets...

More useful for if you're initiating the connection.

SSL v3 doesn't have this vulnerability. You can't sniff decrypt keys because the key exchange is encrypted afaik using the server's public key, which was provided by the server.

[goMac]

Originally Posted by Cold Warrior 

SSL v3 doesn't have this vulnerability. You can't sniff decrypt keys because the key exchange is encrypted afaik using the server's public key, which was provided by the server.

Unless you were sniffing at the initial exchange when the client received the server's public key.

What I'm saying is if you had the packet sniffer running from the very moment you first started initially talking to a server, it's possible. If you jump in after the client has already started talking to the server, you're out of luck. It would make packet sniffing other people's SSL traffic a lot more difficult.

[Cold Warrior]

Public keys allow for one-way encryption. You can't intercept a public key and use it to decrypt output without the private key. That's how PKI works too -- using someone's public key, I encrypt information for a recipient and only his private key (which he holds and no one else does) will decrypt it.

[goMac]

Originally Posted by Cold Warrior 

Public keys allow for one-way encryption. You can't intercept a public key and use it to decrypt output without the private key. That's how PKI works too -- using someone's public key, I encrypt information for a recipient and only his private key (which he holds and no one else does) will decrypt it.

Oh, right. : facepalm :

Yeah, so it's impossible then.

[JesseHolmz]

did anyone botehr trying to use that HTTPAnalyzer program just out of curiousity?

[redwood]

If you have access to the private key, and familiar with TCPDump, SSLDump is one of the easiest way to go. http://www.rtfm.com/ssldump/

[JesseHolmz]

Originally Posted by redwood 

If you have access to the private key, and familiar with TCPDump, SSLDump is one of the easiest way to go. http://www.rtfm.com/ssldump/

i know this is a very newbish question but how do you even install that? you need Xcode to compile and install that right?

[redwood]

You do need Xcode (which is on your DVD if you have a newer mac) or you can download and install the developer tools from developers.apple.com with a free account.

macports has ssldump, so if you install macports (which also requires the developer tools and xcode) you can just type sudo port install ssldump and it will do the dirty work for you.