Home
Contents

LAN Analyzer and Protocol Decoder - CommView

Prev Page Next Page
 
Introduction
About CommView
What's New
Using the Program
Overview
Selecting Network Interface for Monitoring
Latest IP Connections
Packets
Logging
Viewing Logs
Rules
Advanced Rules
Alarms
Reconstructing TCP Sessions
Reconstructing UDP Streams
Searching Packets
Statistics and Reports
Using Aliases
Packet Generator
Visual Packet Builder
NIC Vendor Identifier
Scheduler
Using Remote Agent
Using RPCAP
Capturing Decrypted SSL Traffic
Capturing Loopback Traffic
Port Reference
Setting Options
Frequently Asked Questions
VoIP Analysis
Introduction
Working with VoIP Analyzer
SIP and H.323 Sessions
RTP Streams
Registrations
Endpoints
Errors
Call Logging
Reports
Call Playback
Viewing VoIP Logs
Working with Lists in VoIP Analyzer
NVF Files
Advanced Topics
Capturing High Volume Traffic
Working with Multiple Instances
Running CommView in Invisible Mode
Command Line Parameters
Exchanging Data with Your Application
Custom Decoding
CommView Log Files Format
Information
How to Purchase CommView

Capturing Decrypted SSL Traffic

In addition to physical and virtual network adapters, CommView allows you to select one of the "Decrypted SSL" adapters for capturing and decrypting local SSL traffic. These are not real adapters; rather, they are emulated and called "adapters" for simplicity. When you capture decrypted local SSL traffic from these adapters, CommView emulates TCP packets using intercepted SSL sessions. As a result, you can work with those packets just like you would normally work with any other packets from real adapters.

When working with decrypted SSL traffic, please keep in mind the following:

·Only local SSL traffic can be decrypted. In other words, CommView (or any other software) cannot decrypt other computers' encrypted traffic. If it could, we would have probably received a multimillion-dollar award for the greatest breakthrough in cryptography.

·It is highly recommended that you close your browsers before you start capturing SSL traffic and open them after you have started capturing. This is necessary to make sure that the browsers are able to update their list of trusted certificates; CommView adds its certificate to the trusted store, thereby making it possible to intercept and decrypt SSL traffic.

·We cannot guarantee that CommView can decrypt each and every SSL session originating from your computer. Some applications use highly customized components for SSL encryption. We did, however, make sure that all modern popular browsers are supported.

·Once you have started capturing, some applications might complain about an "unknown" or "untrusted" SSL certificate. This is normal, as CommView acts as a middleman between the software running on your computer and the server it connects to. This involves temporary (only when CommView is capturing data) replacing of the server certificate with CommView’s own certificate. If you see such an "unknown certificate" message, simply restart the application in question. This should solve the problem in most cases. If this doesn't help, you may want to add CommView's certificate to the application's trusted certificate store, if it has one. The certificate can be found at C:\Program Files (x86)\CommView\certs\SSL\CommView CA 2.cer (for 64-bit Windows) or C:\Program Files\CommView\certs\SSL\CommView CA 2.cer (for 32-bit Windows). If this doesn't help either, unfortunately there is nothing we can do.

·The TCP/IP packets that you see in this capture mode are emulated. This means that they have artificial Ethernet, IP, and TCP headers. Such packets have specific source and destination MAC addresses: 00:00:00:00:10 and 00:00:00:00:20 for inbound packets and vice versa for outbound packets. They also have emulated SEQ and ACK values.

·Because packets are emulated, they may not fully reflect the structure of the real SSL session. For example, a 10,000-byte-long SSL-encrypted Web page sent to your browser may be transferred using 7 or 8 encrypted TCP packets in reality, but in CommView, the entire page may be presented as a single 10,000-byte-long TCP packet that contains decrypted data. Similarly, SSL session handshakes are not displayed, as they carry no useable payload.

There are three types of decrypted SSL emulated adapters to choose from:

1.Local SSL (Decrypted)

2.Local SSL (Decrypted) + HTTP

3.Local SSL (Decrypted) + TCP

The first one captures only SSL sessions. The second one captures SSL sessions and HTTP (unencrypted) sessions. The third one captures SSL sessions and any other TCP sessions. Please note that all of the three modes present emulated TCP sessions, with the specificities described above. If you want to see original, unmodified packets as sent/received by your network adapter, then select that adapter rather than one of the emulated adapters in CommView.