Internet Data Packet Sniffer
("SniffInet") is an Internet Data Packet Sniffer. It lets you see data that is going through the Internet. To examine data communication between two Internet end points, call them A and B, you insert SniffInet (S) so that A talks to S and S talks to B. Because it is "in the middle", it can see and display all the data flowing between A and B.
SniffInet is similar to many Data Loss Prevention (DLP) devices that can inspect encrypted traffic. SniffInet and DLP products work like Man-In-The-Middle attacks to do the inspection.
SniffInet is also similar to a Packet Analyzer. MITM devices let you see data flowing on a network connection. Packet Analyzers let you see packets flowing on a network connection. (Packets have headers and other extra bytes around the data that they contain.)
MITMs capture data between two hosts, commonly called a client and a server. The MITM must be inserted in the path (network connection) between the client and the server. The client, instead of talking directly to the server, talks to the MITM, and the MITM talks to the server.
Packet Analyzers capture data between two hosts, commonly called a client and a server. Packet Analyzers need a connection to the physical network (the "wire") between the client and the server to be able to "see" the network traffic.
SniffInet is different. It runs in the cloud: it is directly part of the Internet.
Seeing the actual data being transmitted between devices provides additional information beyond error messages and log entries. This data is especially useful for debugging, for example in a new client/server application like a phone talking to a flight information system.
SniffInet is uniquely different from DLP devices and Packet Analyzers because it:
- reads the Internet
- does not use your local network
- decrypts SSL/TLS
- connects secure and plain text hosts together
- does port conversion in the cloud
Knowing how SniffInet works is important in understanding what it can do and how to use it.
See Your Data Inside The Internet Cloud
SniffInet lets you see your data "in the cloud" or "on the Internet". While there is no way to sniff, or view, arbitrary Internet traffic, SniffInet can show you specific Internet traffic if you let it. The key is "if you let it".
To watch a client/server Internet connection, you insert SniffInet between the client and the server. You break the connection between the client and the server and put SniffInet in the middle. The client talks to SniffInet and SniffInet talks to the server.
Not all client/server connections can be split this way, but SniffInet has capabilities and features that allow it to be in the middle of many such connections. The same communication happens between the client and the server as without SniffInet in the middle, but with it in the middle you can see your traffic in almost real-time.
Decrypt SSL/TLS
SniffInet can decrypt secure Internet connections that use SSL/TLS.
SniffInet does not break Internet security. Internet traffic is secured by encrypting it, making the data unreadable by anyone but the two end points.
SniffInet works by turning a single encrypted connection between points A and B into two encrypted connections, A to SniffInet and SniffInet to B, with SniffInet in the middle. So SniffInet is two end points and has access to unencrypted data.
The Examples below show SniffInet in the middle of plain text connections and then a corresponding example of SniffInet in the middle of an encrypted connection.
Connect Secure and Plain Text Hosts
SniffInet can connect non-TLS clients to TLS servers, and it can connect TLS clients to non-TLS servers. It can be a "protocol converter" for SSL/TLS to and from plain text.
In the rare instances where a client cannot do TLS and a server requires TLS, or vice-versa where the client requires TLS but the server does not have it, SniffInet can connect the two. Because SniffInet creates two connections, A to SniffInet and SniffInet to B, you can choose to make either connection encrypted or unencrypted.
The "Half Encrypted" Examples below show SniffInet encrypting just the client and then just the server.
Port Conversion in The Cloud
SniffInet can connect non-TLS clients to TLS servers, and it can connect TLS clients to non-TLS servers. It can be a "protocol converter" for SSL/TLS to and from plain text.
In the rare instances where a client cannot do TLS and a server requires TLS, or vice-versa where the client requires TLS but the server does not have it, SniffInet can connect the two. Because SniffInet creates two connections, A to SniffInet and SniffInet to B, you can choose to make either connection encrypted or unencrypted.
The "Half Encrypted" Examples below show SniffInet encrypting just the client and then just the server.
Setup
Using SniffInet is a two step process. You create a SniffInet "Connector" that gives SniffInet the information it needs to get in the middle of the client/server connection, and then you tell the client to connect to this Connector instead of the server it normally connects to. When the client then connects, it connects to SniffInet and SniffInet connects to the server.
A Connector needs three things:
- Client:
- The Connector will listen for a client to "come calling" from this IP address.
- Server:
- Once the Connector gets a "call" from a client, it will in turn call (connect to) a server at this IP address. See the next paragraph about "point" for where to find this in the client.
- Server Port:
- The port the Connector should use when connecting to the server. Note that SniffInet requires the client to connect to a SniffInet port (4023) and not its usual port, which is why the Server Port is required here.
To "point" the client at the Connector, find the setting in the client that says what server name or IP address to connect to. This is the IP address and port you should enter into the Connector Server settings above. Temporarily change the client to connect to sniffinet.checktls.com on port 4023 instead.
When the client connects to the server, SniffInet will be in the middle and will pass all traffic to and from the two ends. But now it will capture all data transmitted.
Usage
Installed in the middle of the client/server connection, SniffInet passes all the traffic between the client and the server, so both of them function just as they would if it wasn't there. But with SniffInet in the middle you can see everything that goes on between the two sides.
After you create a Connector you can leave it running. You do not have to stay on the web page. SniffInet runs continuously on our servers and saves all the traffic.
When you come back to the SniffInet webpage, the Connector fields will be filled in with the your Connector information. Whether you stay on the page or come back, you have four options:
- Show Capture
- Displays the data that the Connector has captured since it was created or last erased.
- Erase Capture
- Erase all the captured data. This does not delete the Connector, it just clears it so it's ready for new data.
- Download Capture
- Downloads the data that the Connector has captured since it was created or last erased.
- Update Connector
- Saves the fields on the screen to your Connector, replacing whatever was there.
- Delete Connector
- This removes the Connector from our system, removing the captured data and preventing a client from connecting to it anymore. Once deleted, the captured data is completely removed from our servers, logs, backups, everything.
We recommend using test data rather than sensitive data that you want to keep secret. We have NO RESPONSIBILITY to protect the data that SniffInet captures. If you use real data, you should remove it as soon as possible. Better safe than sorry.
SniffInet captures binary data as well as text. See below for information on decrypting SSL/TLS data, which without decryption options just shows as binary data.
Results
The captured data ("Capture") is displayed like this:
<---S<---(1) @2022-09-13_13:34:32.691 49 bytes This is data sent from the Server to the Client. --->S--->(1) @2022-09-13_13:34:36.881 49 bytes This is data sent from the Client to the Server. ~~~>S~~~>(1) @2022-09-13_13:47:09.630 59 bytes This is encrypted data sent from the Client to the Server. ~~~>S--->(1) @2022-09-13_13:47:09.630 59 bytes This is data sent encrypted from the Client to SniffInet but send in plain text to the Server.
The first 9 characters indicate the flow of the data that follows.
The first 4 are an "arrow" that shows which direction data was flowing to/from the Client: arrow pointing left is data flowing to the Client, arrow pointing right is data flowing from the Client.
The middle character is an "S", representing SniffInet in the middle.
THe last 4 characters are an arrow showing data flowing to/from the Server: pointing left is data flowing from the Server, pointing right is data flowing to the Server.
The number after the first 9 is a thread number. Browsers are especially guilty of making many connections at once to a server, so keeping them straight can be important. In the Capture, data transfers are in the order they occurred, so threads may be mixed up. The thread number can be used to make sense of things.
So the first bold line above has the symbols (<---S<---) which show the following data was sent from the Server (arrow on the right of the "S" pointing left), through SniffInet (the S in the middle), to the Client (arrow on the right pointing left).
The symbols (>--->S--->) on the second bold line show that the following data was sent from the Client, through SniffInet, to the Server.
The symbols (>~~~>S~~~>) on the third bold line show that the following data was sent encrypted from the Client, through SniffInet, to the Server.
Unencrypted Examples
Email Example
Capture a plain text SMTP session.
The SniffInet Connector:
Tell the client to connect to sniffinet.checktls.com:4023 instead of mail.checktls.com:25.
The capture looks like:
<---S<---(1) @2022-09-08_10:50:45.068 89 bytes 220 mail.checktls.com ESMTP Sendmail 8.15.2/8.15.2; Thu, 8 Sep 2022 10:50:44 -0400 --->S--->(1) @2022-09-08_10:50:46.069 27 bytes EHLO test.checktls.com <---S<---(1) @2022-09-08_10:50:47.069 198 bytes 250-mail.checktls.com Hello sniffinet.checktls.com [165.227.190.238], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-STARTTLS 250-DELIVERBY 250 HELP --->S--->(1) @2022-09-08_10:50:48.070 31 bytes MAIL FROM:<test@checktls.com> <---S<---(1) @2022-09-08_10:50:49.070 44 bytes 250 2.1.0 <test@checktls.com>... Sender ok --->S--->(1) @2022-09-08_10:50:50.071 29 bytes RCPT TO:<test@checktls.com> <---S<---(1) @2022-09-08_10:50:51.071 47 bytes 250 2.1.5 <test@checktls.com>... Recipient ok --->S--->(1) @2022-09-08_10:50:52.072 6 bytes DATA <---S<---(1) @2022-09-08_10:50:53.072 50 bytes 354 Enter mail, end with "." on a line by itself --->S--->(1) @2022-09-08_10:50:54.073 284 bytes Date: Thu, 08 Sep 2022 10:50:44 -0400 To: test@checktls.com From: test@checktls.com Subject: test Thu, 08 Sep 2022 10:50:44 -0400 Message-Id: <20220908105044.1402657@test.checktls.com> This is a test mailing . <---S<---(1) @2022-09-08_10:50:55.073 57 bytes 250 2.0.0 288EoijX3800733 Message accepted for delivery --->S--->(1) @2022-09-08_10:50:56.074 6 bytes QUIT <---S<---(1) @2022-09-08_10:50:57.074 53 bytes 221 2.0.0 mail.checktls.com closing connection
Browser Example
Capture a plain text webpage.
URL: http://www.checktls.com/smalltestpage.html
Which results in this webpage:
Heading
Content
The SniffInet Connector is:
(see HTML Fixup below for what this setting does.)
Tell the browser to connect to
http://sniffinet.checktls.com:4023/smalltestpage.html
The capture looks like:
--->S--->(3) @2022-09-12_11:39:36.950 748 bytes GET /smalltestpage.html HTTP/1.1 Host: www.checktls.com:80 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US,en;q=0.9,und;q=0.8 <---S<---(3) @2022-09-12_11:39:37.950 741 bytes HTTP/1.1 200 OK Date: Mon, 12 Sep 2022 15:39:36 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k PHP/7.2.24 mod_perl/2.0.11 Perl/v5.26.3 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: Origin, Content_Type, X-Auth-Token, Authorization Vary: Accept-Encoding Last-Modified: Mon, 12 Sep 2022 15:35:53 GMT ETag: "68-5e87ca6a88ef4" Accept-Ranges: bytes Content-Length: 104 Cache-Control: max-age=86400 Expires: Tue, 13 Sep 2022 15:39:36 GMT Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <html> <head> <title>Title</title> </head> <body> <h1>Heading</h1> <p>Content</p> </body> </html>
Browser Example with Binary
Keeping that same SniffInet Connector, but browsing to a URL that returns binary (http://www.checktls.com/favicon.ico), the capture looks like:
--->S--->(3) @2022-09-12_11:39:38.951 708 bytes GET /favicon.ico HTTP/1.1 Host: www.checktls.com:80 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Referer: http://www.checktls.com:80/smalltestpage.html Accept-Language: en-US,en;q=0.9,und;q=0.8 <---S<---(3) @2022-09-12_11:39:39.952 15711 bytes 00000000 48 54 54 50 2F 31 2E 31 - 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. ........ lines deleted ........ 00003D40 57 00 00 F0 11 00 00 FB - FF 00 00 FF FF 00 00 FF W............... 00003D50 FF 00 00 FF FF 00 00 FF - FF 00 00 FF FF 00 00 ...............
Usage on Encrypted (SSL/TLS) Sessions
In the middle of a client/server connection, Sniffit decodes the encrypted data both to and from the client and to and from the server.
To make an encrypted (SSL/TLS) connection to SniffInet from a client, connect the client to port 4023 at sniffinet.checktls.com and turn on the Client SSL flag.
To make an encrypted (SSL/TLS) connection from SniffInet to a server, create the Connector with the Server Port set to the server's encrypted port (e.g. POP3S instead of POP3) and turn on the Server SSL flag.
The Connector fields that have to do with SSL/TLS are:
- Client SSL?
- Tells SniffInet to make an SSL/TLS connection to the client. Remember to set the Client Port to port 4023 at SniffInet.CheckTLS.com.
- Server SSL?
- Tells SniffInet to make an SSL/TLS connection to the server. Remember to set the Server Port to the SSL/TLS port on the server, for example SMTPs instead of SMTP.
- HTTP Fixup?
- Many web servers host multiple websites. They look at the host part of a URL to determine which content to deliver. The host name is the part after the http:// and before the next slash, i.e. the "en.wikipedia.org" in https://en.wikipedia.org/wiki/URL. When using SniffInet, the client is pointed to https://sniffinet.checktls.com:4023/wiki/URL instead of the actual URL. The server doesn't have a website for "sniffinet.checktls.com", so the session fails. Turning on HTTP Fixup makes SnifInet replace all occurrances of "sniffinet.checktls.com" with whatever is in the Connector's Server field. This makes the server see a request to, for example, https://en.wikipedia.org/wiki/URL when the user browses to https://sniffinet.checktls.com:4023/wiki/URL.
- Cert Fixup?
- SSL Intercept?
- SSL Switch:
- SniffInet can turn on encryption during a session. For example, this is how STARTTLS works with SMTP. A plain text session is started on port 25, but the client then issues a STARTTLS command to tell both sides to start encrypting everything. SniffInet duplicates this ability by matching the last plain text string in the data stream before encryption starts. Using STARTTLS as an example, the last plain text string is the server sending the line "220 2.0.0 Ready to start TLS" To match this, use "Ready to start TLS[\r\n]*" in the SSL Switch field.
We recommend using test data rather than sensitive data that you want to keep secret. We have NO RESPONSIBILITY to protect the data that SniffInet captures. If you use real data, you should remove it as soon as possible. Better safe than sorry.
Encrypted Examples
HTTPS Browser Example (encrypted)
Using the same SniffInet Connector as the above browser example to capture an HTTPS URL, the capture now has unreadable binary when the connection switches to TLS:
https://www.checktls.com/smalltestpage.html
The Connector (changed to use Port 443):
Tell the browser to connect to (changed to https):
https://sniffinet.checktls.com:4023/smalltestpage.html instead of https://www.checktls.com/smalltestpage.html
The capture looks like:
<---S<---(2) @2022-09-13_08:44:33.555 24 bytes 00000000 17 03 03 00 13 FF 36 A4 - 8C 9C 79 B8 E5 16 19 A8 ......6...y..... 00000010 B4 64 1E 43 63 E8 97 E3 .d.Cc... <---S<---(3) @2022-09-13_08:44:33.784 24 bytes 00000000 17 03 03 00 13 A3 61 15 - 68 76 E2 8C 1E 13 50 C2 ......a.hv....P. 00000010 61 93 88 ED 47 D1 67 04 a...G.g. --->S--->(4) @2022-09-13_08:44:36.389 623 bytes 00000000 16 03 01 02 6A 01 00 02 - 66 03 03 34 33 4B 9D 22 ....j...f..43K." ........ lines deleted ........ 00000250 09 69 36 4C C0 C4 01 FE - 5A 05 0A 91 52 9A 2A 17 .i6L....Z...R.*. 00000260 D0 8A 51 97 27 B2 FC 99 - F0 9B 19 27 30 40 25 ..Q.'......'0@% --->S--->(5) @2022-09-13_08:44:36.391 623 bytes 00000000 16 03 01 02 6A 01 00 02 - 66 03 03 02 14 98 1D 08 ....j...f....... ........ lines deleted ........ 00000240 A2 98 46 BC 52 64 B4 01 - D4 A6 4A AF A6 FF B6 62 ..F.Rd....J....b 00000250 C4 C9 8D 6E 19 6E 11 E4 - 54 FB 95 89 3C 32 9B F4 ...n.n..T...<2.. 00000260 28 C6 B0 4C 05 DC 8E E7 - 7D F7 8A 8A 3A 59 86 (..L....}...:Y. ........ lines deleted ........
Note that SniffInet will make SSL connections without Server/Client SSL flags because SniffInet is transparently inbetween the Client and the Server. Obviously though the encrypted traffic is unreadable.
HTTPS Browser Example (decrypted)
The same HTTPS session with SniffInet's Client and Server SSL flags set shows the readable unencrypted data:
Tell the browser to connect to
https://sniffinet.checktls.com:4023/smalltestpage.html instead of https://www.checktls.com/smalltestpage.html
Decrypts the session:
~~~>S~~~>(6) @2022-09-13_08:20:28.136 965 bytes GET /smalltestpage.html HTTP/1.1 Host: www.checktls.com:443 Connection: keep-alive sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9,und;q=0.8 <~~~S<~~~(6) @2022-09-13_08:20:29.137 800 bytes HTTP/1.1 200 OK Date: Tue, 13 Sep 2022 12:20:28 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k PHP/7.2.24 mod_perl/2.0.11 Perl/v5.26.3 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: Origin, Content_Type, X-Auth-Token, Authorization Strict-Transport-Security: max-age=300; includeSubDomains Vary: Accept-Encoding Last-Modified: Mon, 12 Sep 2022 15:35:53 GMT ETag: "68-5e87ca6a88ef4" Accept-Ranges: bytes Content-Length: 104 Cache-Control: max-age=86400 Expires: Wed, 14 Sep 2022 12:20:28 GMT Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <html> <head> <title>Title</title> </head> <body> <h1>Heading</h1> <p>Content</p> </body> </html>
Encrypted (STARTTLS) Email Example
Using the same SniffInet Connector as the above email example to capture SMTP that uses STARTTLS, the capture now has unreadable binary when the connection switches to TLS:
<---S<---(1) @2022-09-12_08:59:26.346 90 bytes 220 mail.checktls.com ESMTP Sendmail 8.15.2/8.15.2; Mon, 12 Sep 2022 08:59:26 -0400 --->S--->(1) @2022-09-12_08:59:27.346 27 bytes EHLO www.checktls.com <---S<---(1) @2022-09-12_08:59:28.347 198 bytes 250-mail.checktls.com Hello sniffinet.checktls.com [165.227.190.238], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-STARTTLS 250-DELIVERBY 250 HELP --->S--->(1) @2022-09-12_08:59:29.347 10 bytes STARTTLS <---S<---(1) @2022-09-12_08:59:30.348 30 bytes 220 2.0.0 Ready to start TLS --->S--->(1) @2022-09-12_08:59:31.349 517 bytes 00000000 16 03 01 02 00 01 00 01 - FC 03 03 B7 3D DC 10 F5 ............=... ........ lines deleted ........ 000001F0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00000200 00 00 00 00 00 ..... <---S<---(1) @2022-09-12_08:59:32.350 6172 bytes 00000000 16 03 03 00 7A 02 00 00 - 76 03 03 4F 50 BC 39 4B ....z...v..OP.9K ........ lines deleted ........ 00001800 46 85 40 E2 2B 42 67 54 - 48 0F 69 73 23 05 B6 74 F.@.+BgTH.is#..t 00001810 F8 A3 3F 2D 53 AE 47 64 - 61 0F 35 34 ..?-S.Gda.54 ........ lines deleted ........
STARTTLS Email Decrypted
This same SMTP session with the SSL Switch set for STARRTLS will decrypt the data:
Decrypts the SMTP session:
<---S<---(1) @2022-09-12_11:05:19.926 90 bytes 220 mail.checktls.com ESMTP Sendmail 8.15.2/8.15.2; Mon, 12 Sep 2022 11:05:19 -0400 --->S--->(1) @2022-09-12_11:05:20.927 27 bytes EHLO www.checktls.com <---S<---(1) @2022-09-12_11:05:21.928 198 bytes 250-mail.checktls.com Hello sniffinet.checktls.com [165.227.190.238], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-STARTTLS 250-DELIVERBY 250 HELP --->S--->(1) @2022-09-12_11:05:22.928 10 bytes STARTTLS <---S<---(1) @2022-09-12_11:05:23.929 30 bytes 220 2.0.0 Ready to start TLS ~~~~~~~~~~(1) @2022-09-12_11:05:23.929 Server switched to SSL ~~~~~~~~~~(1) @2022-09-12_11:05:23.929 Client switched to SSL ~~~>S~~~>(1) @2022-09-12_11:05:24.958 27 bytes EHLO www.checktls.com <~~~S<~~~(1) @2022-09-12_11:05:25.000 184 bytes 250-mail1.checktls.com Hello sniffinet.checktls.com [165.227.190.238], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DELIVERBY 250 HELP ~~~>S~~~>(1) @2022-09-12_11:05:26.001 31 bytes MAIL FROM:<test@checktls.com> <~~~S<~~~(1) @2022-09-12_11:05:27.001 44 bytes 250 2.1.0 <test@checktls.com>... Sender ok ~~~>S~~~>(1) @2022-09-12_11:05:28.002 29 bytes RCPT TO:<test@checktls.com> <~~~S<~~~(1) @2022-09-12_11:05:29.003 47 bytes 250 2.1.5 <test@checktls.com>... Recipient ok ~~~>S~~~>(1) @2022-09-12_11:05:30.003 6 bytes DATA <~~~S<~~~(1) @2022-09-12_11:05:31.004 50 bytes 354 Enter mail, end with "." on a line by itself ~~~>S~~~>(1) @2022-09-12_11:05:32.005 284 bytes Date: Mon, 12 Sep 2022 11:05:19 -0400 To: test@checktls.com From: test@checktls.com Subject: test Mon, 12 Sep 2022 11:05:19 -0400 Message-Id: <20220912110519.1429233@www.checktls.com> X-Mailer: swaks v20181104.0 jetmore.org/john/code/swaks/ This is a test mailing . <~~~S<~~~(1) @2022-09-12_11:05:33.005 57 bytes 250 2.0.0 28CF5Jnd3807723 Message accepted for delivery ~~~>S~~~>(1) @2022-09-12_11:05:34.006 6 bytes QUIT <~~~S<~~~(1) @2022-09-12_11:05:35.007 53 bytes 221 2.0.0 mail.checktls.com closing connection
HTML Fixup
Coming Soon
Case Studies
POP Mail (plain text, encrypted, half-encrypted, and port translated)
Plain
The SniffInet Connector to capture a phone accessing a mailbox using the POP protocol:
Tell the phone to connect to sniffinet.checktls.com port 4023 instead of mail.checktls.com port POP3. The capture looks like:
<---S<---(1) @2022-09-13_13:34:32.691 20 bytes +OK Dovecot ready. --->S--->(1) @2022-09-13_13:34:36.881 6 bytes quit <---S<---(1) @2022-09-13_13:34:37.882 17 bytes +OK Logging out
Encrypted
The SniffInet Connector to capture a phone accessing a mailbox using secure (encrypted) POP protocol:
Tell the phone to connect to sniffinet.checktls.com port 4023 instead of mail.checktls.com port POP3S. The capture looks like:
<~~~S<~~~(1) @2022-09-13_16:31:43.819 20 bytes +OK Dovecot ready. ~~~>S~~~>(1) @2022-09-13_16:31:47.473 6 bytes quit <~~~S<~~~(1) @2022-09-13_16:31:48.474 17 bytes +OK Logging out
Half Encrypted (plain client, ssl server)
The SniffInet Connector to capture a phone accessing a mailbox where the phone cannot do TLS but the server does:
Tell the phone to connect to sniffinet.checktls.com port 4023 instead of mail.checktls.com port POP3S. The capture looks like:
<---S<~~~(3) @2022-09-14_14:42:21.811 20 bytes +OK Dovecot ready. --->S~~~>(3) @2022-09-14_14:42:24.039 6 bytes quit <---S<~~~(3) @2022-09-14_14:42:25.039 17 bytes +OK Logging out
Half Encrypted (ssl client, plain server)
The SniffInet Connector to capture a phone that requires TLS accessing a mailbox that does not have TLS:
Tell the phone to connect to sniffinet.checktls.com port 4023 instead of mail.checktls.com port POP3. The capture looks like:
<~~~S<---(1) @2022-09-14_15:05:14.273 20 bytes +OK Dovecot ready. ~~~>S--->(1) @2022-09-14_15:05:16.823 5 bytes quit <~~~S<---(1) @2022-09-14_15:05:17.824 17 bytes +OK Logging out
Port Translated
The SniffInet Connector to capture a Client that requires POP to a Server that requires SPOP:
Tell the phone to connect to custom-sniffinet.checktls.com port POPS (110). The capture looks like:
<---S<~~~(1) @2022-09-14_15:05:14.273 20 bytes +OK Dovecot ready. --->S~~~>(1) @2022-09-14_15:05:16.823 5 bytes quit <---S<~~~(1) @2022-09-14_15:05:17.824 17 bytes +OK Logging out