Question: Thanks , that captures ssl traffic as well , correct ? And how to analyze or read it

Asked By
tilakmishra
Asked At
2017-10-13 15:54:38

Found 15 possible answers.

User Answered At Possible Answer
raju 2017-10-13 18:03:53 every day early morning hours i am seeing cpu spike for 20 mins , how to check which process causing that problem?
hobo548 2017-10-13 18:19:15 Everyday at the same time? Either load from external sources or cron style job. If you have zero monitoring in place (tsk tsk) maybe do some bash scripting to write out 'top' every 5 seconds for a few hours. Nasty but you get what I mean @tilakmishra wire shark
brunux 2017-10-13 20:51:15 @shivashankarjw SSL trafic is encrypted you can see headers in the tcp/ip stack but not payload, maybe if you have ssl certs you can unencryt payload
addrian 2017-10-13 20:55:22 IIRC, you’d need the private key to un-encrypt the payload, and even with that, you’d probably also have to capture all of the SSL handshake traffic at the start of the session, depending on ciphers. Also may depend on what SSL client/server is. There are some ways if you record session key logging in client browser (e.g. https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ ).
brunux 2017-10-13 20:57:11 @raju chek atop, atop can run in backgorung an save statitstics to log file, for later review
ag4ve.us 2017-10-13 22:48:20 @raju acct (package) sa/ac are your friends here.. Also idr where the ssl3 debate wrt mitm ended up (IIRC it went total dumpster fire thanks to NOC and gov) but if it went the way it should've gone, it should be end to end Wrt ssl - anon/null ciphers aren't exactly encrypted but you may still need a handshake to look @tilakmishra broids will give you interesting metrics out of the box (and is extensible - it's actually a language), sslstrip may help too, and most web proxies have sslbump like things This info is probably in wtmp
raju 2017-10-14 00:07:12 installed atop will check tomorrow @brunux atop not storing the history don't know why @brunux
ag4ve.us 2017-10-15 21:14:44 And wtmp didn't have what you want? Also, IIRC you can have auditd log kernel calls (like idk, execve - get ready to rotate logs alot if that works though)
hipska 2017-10-16 11:26:49 TCPDump captures all traffic you want. It can output in different formats. Depends on how you want to read the headers.
brunux 2017-10-16 14:10:07 @raju still not working? what's the commando that you are running?
raju 2017-10-17 19:06:00 yeah atop not storing the data in logs , but i found the which process spiking the cpu ..
brunux 2017-10-17 21:18:15 @raju this is ubuntu 14.04 atop service https://pastebin.com/Kf4Y394T try to register it at your system put special attention on lines 28 and 29 which sets the log file
pwelling 2017-10-19 17:09:57 Linux admins, what common packages to you make sure to install on all servers you set-up?
brunux 2017-10-19 18:03:16 @pwelling it depens on the plication, basic rule is as minimun as needed, you don't want any posible break points if not needed. the most basic ones would be a firewall and ssh-server
pwelling 2017-10-19 18:28:24 I know. Was curious to find out what others install commonly across all *nix servers. I try to keep it to less than 10 or so packages.

Related Questions