LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Using WireShark to detect encryption method (https://www.linuxquestions.org/questions/linux-security-4/using-wireshark-to-detect-encryption-method-749354/)

pablo1999 08-21-2009 01:42 PM

Using WireShark to detect encryption method
 
Hello,

I'm trying to find out how to use WireShark to detect which encryption method is used between a windows client and windows server.

Can I use WireShark to look at the traffic from 2 computers and find out which encryption method is being in used?

If yes, how?

Thanks in advanced.

acid_kewpie 08-21-2009 03:11 PM

it depends what traffic it sees, and if it's a protocol it can understand. Encryption like SSL is easy to "Detect" as SSL uses very well known handshaking process, and can be pulled apart to show what sort of cipher methods and such are being used. Obviously what can't be done is see the encrypted data... is that the sort of thing you mean? if you are pushing other encrypted data, then you can't magically know what a file might be encrypted with if it's not something agreed upon by both boxes.

pablo1999 08-21-2009 03:17 PM

I dont want to see the encrypted data. I just want to collect the traffic information that is encrypted from one host to another and figure out if its encrypted using AES, Blowfish, DES or other algorithm.

acid_kewpie 08-21-2009 03:54 PM

well as above, it depends what communication protocol is being used to agree the algorithm over, if it is agreed.

pablo1999 08-22-2009 08:40 PM

So I can use WireShark to detect encryption methods like Encryption like
AES, Blowfish or DES ?

I yes, do you know of some document that explains on how to do this?

Thanks.

acid_kewpie 08-23-2009 01:42 AM

Just try it. Capture some traffic and see if it shows it in the traffic details. You'd need to see the start of the stream in just about all cases, if not absolutely all.

pablo1999 08-24-2009 12:53 PM

I ran wireshark and all the frames only show the following:

Protocols in frame: eth:ip:tcp:tds

I was expecting something more like the following:

Protocols in frame: eth:ip:tcp:tds
Cipher in frame: Blowfish

or

Protocols in frame: eth:ip:tcp
Cipher in frame: AES


All times are GMT -5. The time now is 10:53 AM.