Cocoa Packet Sniffer

doubledee said:

I installed Cocoa Packet Sniffer and tried doing a test of a website using an unencrypted connection (e.g. McDonalds) versus an encrypted connection (e.g. my VPN).

When I tried the unencypted connection on a site like http://www.cnet.com, I was able to see some browser header info, but none of the web page content.

Why is that?

Click to expand...

Compression, if you look at the http request you may see: "Accept-Encoding: gzip, deflate" for example, then in the response: "Content-Encoding: gzip". The browser advertises what encodings it supports, then if the server wants to it can use one of those encodings if they are supported.

http://en.wikipedia.org/wiki/HTTP_compression

If you enter this command in the terminal:


That will load the website without compression. Web browsers all support compression, which means that the data you see in your packet sniffer might be in compressed form. Curl doesn't compress any of the data unless you explicitly request it to do so, which is why this should work for you. Change the URL to whatever you want.

Also, the article will not appear in plain English, even decompressed. You will see HTML code, as that's what all websites are written in. You should be able to see the article somewhere within the code though, just have to look sharp!

doubledee said:

I don't know what you just said.

Is there some application that will show me what the content of a website looks like over an unencrypted and encrypted connection?

Click to expand...

Yes Cocoa Packet Sniffer should do just fine.

If you look at the text in the browser header info that you mentioned earlier, you may spot the Accept-Encoding: stuff in there.

doubledee said:

For example, if I came to MacRumors, I would like to see results that show me plain-text that I can read and then gobbly-gook which would show me that everything is encrypted if both the browser and server supports it.

How can I do that?

Click to expand...

The content you saw that looked like it was encrypted, was compressed, it's a feature to make loading the page faster, the content is compressed before it's sent, then it's uncompressed again in the browser.

So the options are: either find a web page that doesn't compress the data, or load the page in a browser that doesn't send Accept-Encoding in the header. Using curl that Dargoth mentioned should do the trick.

doubledee said:

I'm not following how that would help what I am trying to do?




I tried capturing me logging into this website using dummy variables...

http://login.course.com/login/login.cfm?targeturl=&appId=

After capturing that, I went to Edit > Find > Find in Trace and choose...

All of the following are true
Packet String contains "bob@mail.com"

Then I clicked "Find" and I didn't get any results, even though there were tons of packets captured.


Debbie

----------



But Dargoth's suggestion just shows me the content of a website. It doesn't show me content submitted, like in a login screen.

It also wouldn't show me packets that are in plain-text versus encrypted.


Do you know of any websites that do NOT encode their pages, and that have some web form I can submit data in?


-----
If I didn't explain before, I am trying to get comfortable how traffic looks when it is encrypted versus when it is plain text. One of the reasons I want t do this is to check my network connection and see what it looks like when it is encrypted or not.

Follow me?

This is way harder than I expected!


Debbie

Click to expand...

You have to sniff while running curl, sorry if this wasn't clear. You use curl just to generate traffic that isn't compressed, so it can be read plainly. Don't bother with reading curl's output directly, just pay attention to what your sniffer picks up.

doubledee said:

If I use curl, all it will show me is a GET request (i.e. loading the webpage/webform).

What I am trying to do is submit a form with bogus data, and be able to use Cocoa Packet Sniffer to see the form data I submitted (e.g. username and password).

Not trying to hack anyone or anything, but I am trying to see how data sent over http is NOT safe, and how things like https or a VPN helps protect your data.

Can someone help me accomplish such a test to help me learn?

Thanks,


Debbie

Click to expand...

Apart from setting up your own web server on your LAN and do the experiments there, you need to find some web server that doesn't use compression.

Alternatively there may be browsers that allow you to customize the http request in developer settings or with plugins, I don't know of any though, but a quick search pointed to this Firefox plugin which may do what you want. I haven't tried this though.

https://addons.mozilla.org/en-US/firefox/addon/modify-headers/

chown33 said:

You can tell curl to send a POST request. You can supply the data to be posted in several ways: cmd-line args, stdin, input file.

Click to expand...

Yes, but if this is a multi way communication back and forth between a client and server, such as an authentic use of a web page from a browser that approach is going to be very involved. And from the look of the previous attempts it's probably not the most practical solution imo.

doubledee said:

subsonix,

I just customized a new VPN, and I want reassurance that it is actually working.

When I try and test with it on and off using Cocoa Packet Sniffer, it seems like it is working, but my results are not obvious enough. (I see lots of ....... in the packet results that makes me think I'm not doing this correctly.)

Click to expand...

From the previous posts I assumed it was for curiosity/educational purposes to get familiar with network protocols. This method require some familiarity with network protocols. My guess is that the ...... fields you see belongs to the packet headers, not the content. The actual content that gets sent is divided up into packets, each with a packet header in front of it.

doubledee said:

If my end goal is to make sure that when my VPN is on that it is truly encrypting my data, how can I do that?

Would this work better with another app like WireShark or whatever its called?

I'm already way out of my area of expertise - I have no clue about security or networking, but still want to make sure my data is safe!!

Thanks,


Debbie

Click to expand...

In some way it's similar to connecting to a https web site, you have to trust that the lock symbol you see indicates that the right thing happens in the background. Anyhow, with the VPN on, all you traffic should be going to the VPN, you should be able to see this in the headers. The same thing is true for the encryption, similar to compression, there should be some negotiation between you and the VPN at a protocol level, I'm not really familiar with the exact details though I'm afraid.

For https this is known as a TLS handshake, you can look that up if you are interested. Usually it's not really the content one is interested in when using something like a packet analyzer, but what is going on at a protocol level. WireShark is a similar program, but it has more features and supports more protocols. If this is something you use for work and the VPN is part of an organization or company you should probably ask IT support for a confirmation.

You mentioned that you customized your VPN, I assume you mean on your computer? Have you followed the steps by Apple on how to set it up? I found this support document for Mountain Lion for example: http://support.apple.com/kb/ph11067

doubledee said:

I set up a custom gateway to allow me to have a static IP that I need to connect to s server. When I do this, it doesn't give me the location and IP in the vpn client software, which makes me nervous.

If I do a "What's My IP", I see the static IP that I used during configuration, but I just still feel a bit untrusting.

My VPN provider verified that I am indeed connecting to one of their servers. And the new static IP has remained the same, which is good.

It s just surprising that in this day and age that there isn't some app or website called "check-if-my-connection-is-encrypted.com" *LOL*



-------
Yesterday I rolled up my sleeves and spent the afternoon playing around.

First I turned on Cocoa Packet Sniffer, and then ran this from Terminal...

Code:

curl --data "uname=mickey.mouse@disney.com&passwd=let-me-in" somesite.com/login.php

Because that website's login page used HTTP, and since my VPN was off, I was able to see the login details.


Next, I repeated things but with my VPN turned on and pointing to the custom gateway.

When I looked through each packet, I did not see any plain text, so I guess that means it is working, but I'm not 100% certain I am doing things correctly.

I think the whole gzip thingy is what confused me in the beginning, because when I went to ww.bbc.com, I couldn't see any news articles in the packets.


So, I think my customized VPN is working, but I'm not 100% certain if I used Cocoa Packet Sniffer the correct way?!

Sincerely,


Debbie

Click to expand...

Looks right to me! The packets exist at a layer below the VPN, so you're seeing raw traffic. If you can read it, it's definitely not being encrypted by the VPN, or compressed, and if you can't (using curl) it has to be the VPN encrypting the data.

Also, if all you wanted was to test that your VPN is working, you could have simply logged into your VPN remotely, get your IP address by asking Google, then compare it with the IP address you get when disconnected from it. If they differ, then the traffic is definitely going over the VPN. Hopefully this method is what you're looking for, as it's quite a bit easier!

doubledee said:

You lost me on this one.

When I turn on my VPN, I choose which City or Custom Gateway that I want.

So checking my IP when my VPN is on against the IP I set up my custom gateway with, just shows they are the same.

It does NOT, however, prove that I have encryption!

And since the client app doesn't show a location or IP, it makes me feel like I am surfing naked.

Until I did the cURL/Cocoa Packet Sniffer tests, I totally didn't trust my custom gateway.

But after several tests, it would seem that my custom gateway and the IP associated with it are encrypting data - although part of me worries that what I am seeing is some gzip junk...

But since I can go to the same test website and see readable text when my VPN is off but I can't read it when it is on, that would logically follow that having my VPN is scrambling the data.


Debbie

Click to expand...

Look.. I want you to try to understand this: There are two IPs associated with a VPN when connecting from abroad, first the IP address of the local network, then the IP address of the remote network containing the VPN server. If you are not connected to the VPN, your IP address will be that of the local network you're on. If you're connected to the VPN, your IP address will be that of the remote network that contains the VPN server. There is literally no way that you could be getting the IP address of the VPN server if you are not connected to it, and this also implies your data is being encrypted, because going through the VPN always encrypts your data. That's just how the technology works. There is no way you can have one without the other!

This is the last time I'm going to explain this. Either understand it, or choose not to. Either way, good day!