stevanp Tue, 05/15/2007 - 11:15
User Badges:

I am glad that you asked as I have had a little time to think about it.

Windows clients hit a CSS 11500 with is using Source NATing and encryption on the front end. When the request originates from the CSS, it hits Windows servers.

We have a couple of users that are seeing abnormal reactions with web browser and need to "see" what is going on.

Since I setup our CSS's and SSL certs, I figured that I would be able to sniff the traffic and "see" the issues.

mhellman Wed, 05/16/2007 - 04:53
User Badges:
  • Blue, 1500 points or more

If the CSS is just doing NAT, then the SSL endpoints are the clients and the windows servers. All the CSS sees is a stream of encrypted packets. There are solutions that allow you to load your SSL certs and then sniff the traffic and decrypt it, but I can't imagine using them just for troubleshooting purposes. Tealeaf is one of them (

You can still use webscarab, just bear in mind that it acts as an HTTP proxy (i.e. it becomes the client to the windows server)...and this may very well impact the abnormal behavior your were seeing.

stevanp Wed, 05/16/2007 - 06:05
User Badges:

Thanks for the advice on products, might be waht we are looking for; however, in the past, I used SSLDump to "sniff" streams, but cannot seem to find the necessary files online to comile another version for Windows.

Q. How would a SSL sniff be used as a troubleshooting tool?

A. Sniffing SSL traffic will allow me to see what the client and the servers, via the CSS, are doing in the streams. While I can look at the SSL traffic up to the TCP headers, I want to see what kind of responses the web servers are returning to the clients via CSS.

mhellman Wed, 05/16/2007 - 07:18
User Badges:
  • Blue, 1500 points or more

SSLdump appears to be very much like tealeaf. If provided the appropriate keys, it should allow you to see the entire HTTP stream. I don't see a Windows version but perhaps it will work under cygwin?

you might be able to use dsniff.


This Discussion