Resources for IT Professionals >
Forums Home
>
Windows Tools Forums
>
Network Monitor
>
Encryption question
Encryption question
- Is there a way in Network Monitor 3.3 to display if AES encryption is happening when a client connects to a server?
Answers
- Since AES is a type of encryption and not a protocol, so for each protocol, you'd have to figure out how to detect that type of encryption. For instance for SSL/TLS, which is a very popular encyprtion protocol, you could check to see if TLS_DH_RSA_WITH_AES_256_GCM_SHA384 is set with the followling filter.
ServerHello.TLSCipherSuite == 0xA1
Of course there are many different cipher suites that use AES, so you'd have to enter a filter for each one. One way around this is to search for the string in the description which you can do as follows:
serverhello.TLSCipherSuite.tostring.contains("AES")
But if you are wanting to detect this decryption in other protocols, you'd have to find the filter string for each one.- Marked As Answer byCharlesHardy Wednesday, October 28, 2009 4:48 PM
All Replies
- Currently the traffic is captured after the the data is encrypted, so you can't see the unencrypted data.
- I guess I didn't phrase the question very well... I was wondering if there was a way to have Network Monitor show if the data is encrypted or not. I can't find a way to show if there is encryption happening or not.
- This is probably dependant on the protocol, but for SSL everythign is encrypted. For MSRPC, we'll say whether or not it's encrypted.
Do you know what protocol is involved in the communication you are interested in? - I'm looking to see if AES encryption is happening.
- Since AES is a type of encryption and not a protocol, so for each protocol, you'd have to figure out how to detect that type of encryption. For instance for SSL/TLS, which is a very popular encyprtion protocol, you could check to see if TLS_DH_RSA_WITH_AES_256_GCM_SHA384 is set with the followling filter.
ServerHello.TLSCipherSuite == 0xA1
Of course there are many different cipher suites that use AES, so you'd have to enter a filter for each one. One way around this is to search for the string in the description which you can do as follows:
serverhello.TLSCipherSuite.tostring.contains("AES")
But if you are wanting to detect this decryption in other protocols, you'd have to find the filter string for each one.- Marked As Answer byCharlesHardy Wednesday, October 28, 2009 4:48 PM
- Thank you. I will talk to our programers and figure out which encryption protocol we are using with AES.
