Better support for viewing and scrolling large images extracted in the User Objects tab. The previous builds would perform very slowly on Windows 7 and 8 when viewing large images.
Save multiple user objects to a folder now has an option to automatically open the folder where these are saved
Support for ascending and descending sort on any column in the User Objects sheet
Better support to import a range of packets from a PCAP file.
If you haven’t used Unsniff in a while it is time to try it out now. There have been tons of improvements in 2013 especially in the forensics area.
A post on the Wireshark Q&A site wondered if you controlled the client or the server and could output the so called master secret, can you then decrypt the SSL/TLS traffic? The answer is absolutely!
If you had the master secret, it does not matter what key exchange algorithm you use. The only question left is : Do you support decryption of the cipher!
Differences with Wireshark
Unsniff supports entering a master secret directly. Wireshark allows you to enter something called a ‘unencrypted pre master secret’, we think if you can instrument the client anyway – why not just print out the master secret. Unsniff also doesnt care about the session id as a way of mapping flows to keys – the mapping is much weaker. You can arrange to split your PCAPs into flows -> key mapping instead.
Sample run with ECDHE-RSA-RC4-128-SHA (what gmail prefers)
Use the s_client tool to generate a trace run by connecting and typing “GET /”
Notice that big string in bold. That is called the master secret. That’s all you need.
If you have Trisul running in your egress point, grab a PCAP of the above session. Or alternatively run a tcpdump before the s_client tool.
Enter the master secret
Self evident, just use the highlighted buttons.
Run Unsniff on the PCAP
If you clicked on Pull Packets in Trisul, it will automatically open Unsniff the run the decryption for you. Alternately, load the PCAP into Unsniff via File -> Import -> From Libpcap
PDUs
The place to observe the action in Unsniff is in the PDU tab. This may be a little confusing for folks familiar with Wireshark’s link packet based views. What Unsniff does it shows you complete SSL “records” – so an Application Data encrypted record maps cleanly into a “decrypted” record. This is shown with an icon on the left side.
Stream based view
Switch to the streams tab for two extra streams generated from the SSL stream.
Decrypted stream stopping at the TCP layer
Decrypted stream going all the way to the HTTPS (or whatever else) layer
Unsniff is still heavily developed
We’ve received a bunch of emails asking about Unsniff. We are still heavily improving it, unfortunately the documentation and new website is still some time off due to our big Trisul releases. The latest versions for example have top notch reconstruction – even of Video Chats with playback of VP8 and MPEG4-TS, unidirectional streams from satellite connections and more. Check it out now.
We are excited to announce our latest version of Trisul Network Analytics – Release 3.0 is available on www.trisul.org
With Trisul 3.0 you have almost all bases covered as far as access to network security monitoring and audit data is concerned. The key features in this release are :
SSL Certificates are stored in summary and full text search form
HTTP headers are stored in full text search (FTS) form
A brand new FTS search screen generates live faceted results
3 new SSL counter groups to track ciphers in use, orgs, and CAs
Port independent tracking of SSL, HTTP, and FTP traffic
Unsniff Network Analyzer has recently undergone a number of key revisions silently. The most recent improvement being reconstruction of video chat using VP8 and MPEG-4TS codecs. We’ve also added unidirectional reconstruction which is useful for satellite applications.
Use Trisul to monitor continuously and pull in packets to Unsniff to complete your analysis.