# eavesdropping with tcpdump



## bigearsbilly (Apr 2, 2014)

I am playing about with SSL tunnels and am trying to look to see if it really is encrypted.
I am trying with a third machine to look at the traffic, like so:


```
tcpdump -i eth1 src spitfire and dst cherry
```

But here I get no trafic showing up.
Should this work? They are all on the same LAN but it is a VLAN in a virtual hosting environment.
I was wondering if maybe it isn't working because it is in a virtual environment?


----------



## SirDice (Apr 2, 2014)

On a switched environment you will only see your own and broadcast traffic, traffic for other machines will not be visible. It's because of the way a switch operates. Depending on the switch you may be able to configure a port in "monitoring" mode, that will copy all the traffic from one port to the monitoring port. On Cisco it's called SPAN and I think HP calls it mirroring.


----------



## bigearsbilly (Apr 2, 2014)

Oh, I see, (I think!)
I was trying this sort of thing:

```
ssh -v -L 8888:cherry:8888  billy@cherry
```

When I tcpdump on the ports in question on either machine it shows in the clear. So either the SSH has happened or I am wrong.
Hence I was trying to eavesdrop.
It was just to satisfy my curiosity.


----------



## SirDice (Apr 2, 2014)

bigearsbilly said:
			
		

> When I tcpdump on the ports in question on either machine it shows in the clear. So either the SSH has happened or I am wrong.


You're wrong  You're looking at the traffic that's going in and out of the tunnel. Which is the unencrypted traffic. The tunnel itself runs on port 22 (same as SSH). One simple way to verify this is to block all traffic coming in on the external interface except for port 22 traffic. You'll see you'll still be able to tunnel anything over SSH.


----------



## bigearsbilly (Apr 2, 2014)

SirDice said:
			
		

> You're wrong


Really!! Wow that's only the second time ever! 

Ah! so it still goes via port 22, well that never occurred to me at all.
Thanks very much for the help.


----------



## SirDice (Apr 2, 2014)

bigearsbilly said:
			
		

> Ah! so it still goes via port 22, well that never occurred to me at all.


Yes, so does scp(1) and sftp(1). It's all encapsulated within the SSH protocol and thus everything passes through port 22.


----------



## bigearsbilly (Apr 2, 2014)

I just checked your assertion by listening to port 22 and I can confirm you are quite correct!
Well I never. I feel cheated!

Another bit of information logged away there.
Verily SirDice I am most grateful!

I've decided to us a proper IPSec tunnel VPN now anyway.


----------



## SirDice (Apr 2, 2014)

bigearsbilly said:
			
		

> I've decided to us a proper IPSec tunnel VPN now anyway.


It depends on your needs. For just forwarding a single port on an ad-hoc basis ssh(1) tunnelling usually does very well. I use it quite a lot to tunnel Windows' RDP over SSH. I've also used the -D option a lot to bypass stupid corporate firewalls and proxies  §e  But if you need to tunnel more services or really want the traffic to become "local" a VPN is usually the better solution. Make sure you route your traffic _through_ the VPN though, it's quite easy to have the traffic bypass it without realizing.


----------



## kpa (Apr 2, 2014)

IPSec is not considered as "proper" by everyone. It may be a standard but for many purposes OpenVPN is vastly superior in many ways, set up is easier and it deals much better with dynamic client IP addresses.


----------



## bigearsbilly (Apr 3, 2014)

Maybe, but I am connecting to a third-party data provider and they are using a hardware VPN so I will probably end up doing what I can.
I'm a developer more than a network admin but the boss is too tight to employ enough technical people, strange as that may sound.


----------

