|
Symantec antivirus on a VPN connected Windoze machine is detecting an intrusion from a host on our VPN. Symantec can do this because the VPN client on the destination machine decrypts the messages before Symantec see it. (Right?) I am monitoring using a Mac with Wireshark on a hub which also supports the Windoze machine that's detecting the intrusion. Because the Winders machine is on the VPN, but my monitoring Wireshark machine is not VPN connected, is there some capture filter that can decode the encrypted messages? Assume I can capture the packets which set up the VPN, and I have the RSA passcode. The IP message header wouldn't be encrypted (else the network couldn't route it), so shouldn't I see the source host sending the packets? Or is the source host's entire message being encrypted by the VPN server at the other end before I get it, and the VPN client removes the IP header and decrypts it, so all I can see by capturing is the destination host and the VPN source host in the packet? (I did search 'questions' for VPN and encrypt and got zero hits for either, I'm sorry if this has been answered somewhere.) |
Follow this question
By Email:Once you sign in you will be able to subscribe for any updates here
By RSS:Markdown Basics
- *italic* or _italic_
- **bold** or __bold__
- link:[text](http://url.com/ "Title")
- image?
- numbered list: 1. Foo 2. Bar
- to add a line break simply add two spaces to where you would like the new line to be.
- basic HTML tags are also supported
You have a trillion packets.
You need to see four of them.
Riverbed Technology's Cascade products let you seamlessly move between packets and flows for comprehensive monitoring, analysis and troubleshooting.
Tags:
Asked: 03 Apr '12, 11:06
Seen: 1,244 times
Last updated: 03 Apr '12, 11:06
