In addition to physical and virtual network adapters, CommView
allows you to select one of the "Decrypted
SSL" adapters
for capturing and decrypting local SSL traffic. These are not real
adapters; rather, they are emulated and called "adapters" for
simplicity. When you capture decrypted local SSL traffic from these
adapters, CommView emulates TCP packets using intercepted SSL
sessions. As a result, you can work with those packets just like
you would normally work with any other packets from real
adapters.
When working with decrypted SSL traffic, please keep in mind the
following:
·Only
local SSL traffic can
be decrypted. In other words, CommView (or any other software)
cannot decrypt other computers' encrypted traffic. If it could, we
would have probably received a multimillion-dollar award for the
greatest breakthrough in cryptography.
·It
is highly recommended that you close
your browsers before
you start capturing SSL traffic and open
them after you have started capturing.
This is necessary to make sure that the browsers are able to update
their list of trusted certificates; CommView adds its certificate
to the trusted store, thereby making it possible to intercept and
decrypt SSL traffic.
·We
cannot guarantee that CommView can decrypt each and every SSL
session originating from your computer. Some applications use
highly customized components for SSL encryption. We did, however,
make sure that all
modern popular browsers are supported.
·Once
you have started capturing, some applications might complain about
an "unknown"
or "untrusted" SSL certificate.
This is normal, as CommView acts as a middleman between the
software running on your computer and the server it connects to.
This involves temporary (only when CommView is capturing data)
replacing of the server certificate with CommView’s own
certificate. If you see such an "unknown certificate" message,
simply restart the application in question. This should solve the
problem in most cases. If this doesn't help, you may want to add
CommView's certificate to the application's trusted certificate
store, if it has one. The certificate can be found
at C:\Program
Files (x86)\CommView\certs\SSL\CommView CA 2.cer (for
64-bit Windows) or C:\Program
Files\CommView\certs\SSL\CommView CA 2.cer (for
32-bit Windows). If this doesn't help either, unfortunately there
is nothing we can do.
·The
TCP/IP packets that you see in this capture mode are emulated. This
means that they have artificial
Ethernet, IP, and TCP headers.
Such packets have specific source and destination MAC addresses:
00:00:00:00:10 and 00:00:00:00:20 for inbound packets and vice
versa for outbound packets. They also have emulated SEQ and ACK
values.
·Because
packets are emulated, they may not
fully reflect the structure of the real SSL
session.
For example, a 10,000-byte-long SSL-encrypted Web page sent to your
browser may be transferred using 7 or 8 encrypted TCP packets in
reality, but in CommView, the entire page may be presented as a
single 10,000-byte-long TCP packet that contains decrypted data.
Similarly, SSL session handshakes are not displayed, as they carry
no useable payload.
There are three types of decrypted SSL emulated adapters to choose
from:
1.Local
SSL (Decrypted)
2.Local
SSL (Decrypted) + HTTP
3.Local
SSL (Decrypted) + TCP
The first one captures only SSL sessions. The second one captures
SSL sessions and HTTP (unencrypted) sessions. The third one
captures SSL sessions and any other TCP sessions. Please note that
all of the three modes present emulated TCP sessions, with the
specificities described above. If you want to see original,
unmodified packets as sent/received by your network adapter, then
select that adapter rather than one of the emulated adapters in
CommView.
|