Internet Data Packet Sniffer

//cloud/sniffinet ("SniffInet") is an Internet Data Packet Sniffer. It lets you see data that is going through the Internet. To examine data communication between two Internet end points, call them A and B, you insert SniffInet (S) so that A talks to S and S talks to B. Because it is "in the middle", it can see and display all the data flowing between A and B.

SniffInet is similar to many Data Loss Prevention (DLP) devices that can inspect encrypted traffic. SniffInet and DLP products work like Man-In-The-Middle attacks to do the inspection.

SniffInet is also similar to a Packet Analyzer. MITM devices let you see data flowing on a network connection. Packet Analyzers let you see packets flowing on a network connection. (Packets have headers and other extra bytes around the data that they contain.)

MITMs capture data between two hosts, commonly called a client and a server. The MITM must be inserted in the path (network connection) between the client and the server. The client, instead of talking directly to the server, talks to the MITM, and the MITM talks to the server.

Packet Analyzers capture data between two hosts, commonly called a client and a server. Packet Analyzers need a connection to the physical network (the "wire") between the client and the server to be able to "see" the network traffic.

SniffInet is different. It runs in the cloud: it is directly part of the Internet.

Seeing the actual data being transmitted between devices provides additional information beyond error messages and log entries. This data is especially useful for debugging, for example in a new client/server application like a phone talking to a flight information system.

SniffInet is uniquely different from DLP devices and Packet Analyzers because it:

Knowing how SniffInet works is important in understanding what it can do and how to use it.

See Your Data Inside The Internet Cloud

SniffInet lets you see your data "in the cloud" or "on the Internet". While there is no way to sniff, or view, arbitrary Internet traffic, SniffInet can show you specific Internet traffic if you let it. The key is "if you let it".

To watch a client/server Internet connection, you insert SniffInet between the client and the server. You break the connection between the client and the server and put SniffInet in the middle. The client talks to SniffInet and SniffInet talks to the server.

Not all client/server connections can be split this way, but SniffInet has capabilities and features that allow it to be in the middle of many such connections. The same communication happens between the client and the server as without SniffInet in the middle, but with it in the middle you can see your traffic in almost real-time.

Decrypt SSL/TLS

SniffInet can decrypt secure Internet connections that use SSL/TLS.

SniffInet does not break Internet security. Internet traffic is secured by encrypting it, making the data unreadable by anyone but the two end points.

SniffInet works by turning a single encrypted connection between points A and B into two encrypted connections, A to SniffInet and SniffInet to B, with SniffInet in the middle. So SniffInet is two end points and has access to unencrypted data.

The Examples below show SniffInet in the middle of plain text connections and then a corresponding example of SniffInet in the middle of an encrypted connection.

Connect Secure and Plain Text Hosts

SniffInet can connect non-TLS clients to TLS servers, and it can connect TLS clients to non-TLS servers. It can be a "protocol converter" for SSL/TLS to and from plain text.

In the rare instances where a client cannot do TLS and a server requires TLS, or vice-versa where the client requires TLS but the server does not have it, SniffInet can connect the two. Because SniffInet creates two connections, A to SniffInet and SniffInet to B, you can choose to make either connection encrypted or unencrypted.

The "Half Encrypted" Examples below show SniffInet encrypting just the client and then just the server.

Port Conversion in The Cloud

SniffInet can connect non-TLS clients to TLS servers, and it can connect TLS clients to non-TLS servers. It can be a "protocol converter" for SSL/TLS to and from plain text.

In the rare instances where a client cannot do TLS and a server requires TLS, or vice-versa where the client requires TLS but the server does not have it, SniffInet can connect the two. Because SniffInet creates two connections, A to SniffInet and SniffInet to B, you can choose to make either connection encrypted or unencrypted.

The "Half Encrypted" Examples below show SniffInet encrypting just the client and then just the server.

Setup

Using SniffInet is a two step process. You create a SniffInet "Connector" that gives SniffInet the information it needs to get in the middle of the client/server connection, and then you tell the client to connect to this Connector instead of the server it normally connects to. When the client then connects, it connects to SniffInet and SniffInet connects to the server.

A Connector needs three things:

Client:
The Connector will listen for a client to "come calling" from this IP address.
Server:
Once the Connector gets a "call" from a client, it will in turn call (connect to) a server at this IP address. See the next paragraph about "point" for where to find this in the client.
Server Port:
The port the Connector should use when connecting to the server. Note that SniffInet requires the client to connect to a SniffInet port (4023) and not its usual port, which is why the Server Port is required here.
See below for information on the other fields on the SniffInet webpage.

To "point" the client at the Connector, find the setting in the client that says what server name or IP address to connect to. This is the IP address and port you should enter into the Connector Server settings above. Temporarily change the client to connect to sniffinet.checktls.com on port 4023 instead.

When the client connects to the server, SniffInet will be in the middle and will pass all traffic to and from the two ends. But now it will capture all data transmitted.

Usage

Installed in the middle of the client/server connection, SniffInet passes all the traffic between the client and the server, so both of them function just as they would if it wasn't there. But with SniffInet in the middle you can see everything that goes on between the two sides.

After you create a Connector you can leave it running. You do not have to stay on the web page. SniffInet runs continuously on our servers and saves all the traffic.

When you come back to the SniffInet webpage, the Connector fields will be filled in with the your Connector information. Whether you stay on the page or come back, you have four options:

Show Capture
Displays the data that the Connector has captured since it was created or last erased.
Erase Capture
Erase all the captured data. This does not delete the Connector, it just clears it so it's ready for new data.
Download Capture
Downloads the data that the Connector has captured since it was created or last erased.
Update Connector
Saves the fields on the screen to your Connector, replacing whatever was there.
Delete Connector
This removes the Connector from our system, removing the captured data and preventing a client from connecting to it anymore. Once deleted, the captured data is completely removed from our servers, logs, backups, everything.

We recommend using test data rather than sensitive data that you want to keep secret. We have NO RESPONSIBILITY to protect the data that SniffInet captures. If you use real data, you should remove it as soon as possible. Better safe than sorry.

SniffInet captures binary data as well as text. See below for information on decrypting SSL/TLS data, which without decryption options just shows as binary data.

Results

The captured data ("Capture") is displayed like this:

<---S<---(1) @2022-09-13_13:34:32.691 49 bytes
This is data sent from the Server to the Client.
--->S--->(1) @2022-09-13_13:34:36.881 49 bytes
This is data sent from the Client to the Server.
~~~>S~~~>(1) @2022-09-13_13:47:09.630 59 bytes
This is encrypted data sent from the Client to the Server.
~~~>S--->(1) @2022-09-13_13:47:09.630 59 bytes
This is data sent encrypted from the Client to SniffInet but send in plain text to the Server.

The first 9 characters indicate the flow of the data that follows.
The first 4 are an "arrow" that shows which direction data was flowing to/from the Client: arrow pointing left is data flowing to the Client, arrow pointing right is data flowing from the Client. The middle character is an "S", representing SniffInet in the middle. THe last 4 characters are an arrow showing data flowing to/from the Server: pointing left is data flowing from the Server, pointing right is data flowing to the Server.

The number after the first 9 is a thread number. Browsers are especially guilty of making many connections at once to a server, so keeping them straight can be important. In the Capture, data transfers are in the order they occurred, so threads may be mixed up. The thread number can be used to make sense of things.

So the first bold line above has the symbols (<---S<---) which show the following data was sent from the Server (arrow on the right of the "S" pointing left), through SniffInet (the S in the middle), to the Client (arrow on the right pointing left).

The symbols (>--->S--->) on the second bold line show that the following data was sent from the Client, through SniffInet, to the Server.
The symbols (>~~~>S~~~>) on the third bold line show that the following data was sent encrypted from the Client, through SniffInet, to the Server.

Unencrypted Examples

Email Example

Capture a plain text SMTP session.

The SniffInet Connector:

Cloud Packet Sniffer parameter entry
CLIENT:
10.10.10.10
SERVER:
mail.checktls.com
SERVER PORT:
SMTP
CLIENT SSL?
 
SERVER SSL?
 
SUPPRESS LOG?
 
SHOW SSL?
 
HTML Fixup?
 
Cert Fixup?
 
SSL Intercept?
 
SSL Switch:

Tell the client to connect to sniffinet.checktls.com:4023 instead of mail.checktls.com:25.

The capture looks like:

<---S<---(1) @2022-09-08_10:50:45.068 89 bytes
220 mail.checktls.com ESMTP Sendmail 8.15.2/8.15.2; Thu, 8 Sep 2022 10:50:44 -0400
--->S--->(1) @2022-09-08_10:50:46.069 27 bytes
EHLO test.checktls.com
<---S<---(1) @2022-09-08_10:50:47.069 198 bytes
250-mail.checktls.com Hello sniffinet.checktls.com [165.227.190.238], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-STARTTLS
250-DELIVERBY
250 HELP
--->S--->(1) @2022-09-08_10:50:48.070 31 bytes
MAIL FROM:<test@checktls.com>
<---S<---(1) @2022-09-08_10:50:49.070 44 bytes
250 2.1.0 <test@checktls.com>... Sender ok
--->S--->(1) @2022-09-08_10:50:50.071 29 bytes
RCPT TO:<test@checktls.com>
<---S<---(1) @2022-09-08_10:50:51.071 47 bytes
250 2.1.5 <test@checktls.com>... Recipient ok
--->S--->(1) @2022-09-08_10:50:52.072 6 bytes
DATA
<---S<---(1) @2022-09-08_10:50:53.072 50 bytes
354 Enter mail, end with "." on a line by itself
--->S--->(1) @2022-09-08_10:50:54.073 284 bytes
Date: Thu, 08 Sep 2022 10:50:44 -0400
To: test@checktls.com
From: test@checktls.com
Subject: test Thu, 08 Sep 2022 10:50:44 -0400
Message-Id: <20220908105044.1402657@test.checktls.com>

This is a test mailing
.
<---S<---(1) @2022-09-08_10:50:55.073 57 bytes
250 2.0.0 288EoijX3800733 Message accepted for delivery
--->S--->(1) @2022-09-08_10:50:56.074 6 bytes
QUIT
<---S<---(1) @2022-09-08_10:50:57.074 53 bytes
221 2.0.0 mail.checktls.com closing connection

Browser Example

Capture a plain text webpage.
URL: http://www.checktls.com/smalltestpage.html
Which results in this webpage:

Heading

Content

The SniffInet Connector is:

Cloud Packet Sniffer parameter entry
CLIENT:
10.10.10.10
SERVER:
www.checktls.com
SERVER PORT:
HTTP
CLIENT SSL?
 
SERVER SSL?
 
SUPPRESS LOG?
 
SHOW SSL?
 
HTML Fixup?
Cert Fixup?
 
SSL Intercept?
 
SSL Switch:
(see HTML Fixup below for what this setting does.)

Tell the browser to connect to

http://sniffinet.checktls.com:4023/smalltestpage.html
(instead of http://www.checktls.com/smalltestpage.html).

The capture looks like:

--->S--->(3) @2022-09-12_11:39:36.950 748 bytes
GET /smalltestpage.html HTTP/1.1
Host: www.checktls.com:80
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9,und;q=0.8

<---S<---(3) @2022-09-12_11:39:37.950 741 bytes
HTTP/1.1 200 OK
Date: Mon, 12 Sep 2022 15:39:36 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k PHP/7.2.24 mod_perl/2.0.11 Perl/v5.26.3
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Origin, Content_Type, X-Auth-Token, Authorization
Vary: Accept-Encoding
Last-Modified: Mon, 12 Sep 2022 15:35:53 GMT
ETag: "68-5e87ca6a88ef4"
Accept-Ranges: bytes
Content-Length: 104
Cache-Control: max-age=86400
Expires: Tue, 13 Sep 2022 15:39:36 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<html>
<head>
  <title>Title</title>
</head>
<body>
  <h1>Heading</h1>
  <p>Content</p>
</body>
</html>

Browser Example with Binary

Keeping that same SniffInet Connector, but browsing to a URL that returns binary (http://www.checktls.com/favicon.ico), the capture looks like:

--->S--->(3) @2022-09-12_11:39:38.951 708 bytes
GET /favicon.ico HTTP/1.1
Host: www.checktls.com:80
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://www.checktls.com:80/smalltestpage.html
Accept-Language: en-US,en;q=0.9,und;q=0.8

<---S<---(3) @2022-09-12_11:39:39.952 15711 bytes
00000000  48 54 54 50 2F 31 2E 31 - 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
........  lines deleted  ........
00003D40  57 00 00 F0 11 00 00 FB - FF 00 00 FF FF 00 00 FF  W...............
00003D50  FF 00 00 FF FF 00 00 FF - FF 00 00 FF FF 00 00     ...............

Usage on Encrypted (SSL/TLS) Sessions

In the middle of a client/server connection, Sniffit decodes the encrypted data both to and from the client and to and from the server.

To make an encrypted (SSL/TLS) connection to SniffInet from a client, connect the client to port 4023 at sniffinet.checktls.com and turn on the Client SSL flag.

To make an encrypted (SSL/TLS) connection from SniffInet to a server, create the Connector with the Server Port set to the server's encrypted port (e.g. POP3S instead of POP3) and turn on the Server SSL flag.

The Connector fields that have to do with SSL/TLS are:

Client SSL?
Tells SniffInet to make an SSL/TLS connection to the client. Remember to set the Client Port to port 4023 at SniffInet.CheckTLS.com.
Server SSL?
Tells SniffInet to make an SSL/TLS connection to the server. Remember to set the Server Port to the SSL/TLS port on the server, for example SMTPs instead of SMTP.
HTTP Fixup?
Many web servers host multiple websites. They look at the host part of a URL to determine which content to deliver. The host name is the part after the http:// and before the next slash, i.e. the "en.wikipedia.org" in https://en.wikipedia.org/wiki/URL. When using SniffInet, the client is pointed to https://sniffinet.checktls.com:4023/wiki/URL instead of the actual URL. The server doesn't have a website for "sniffinet.checktls.com", so the session fails. Turning on HTTP Fixup makes SnifInet replace all occurrances of "sniffinet.checktls.com" with whatever is in the Connector's Server field. This makes the server see a request to, for example, https://en.wikipedia.org/wiki/URL when the user browses to https://sniffinet.checktls.com:4023/wiki/URL.
Cert Fixup?
SSL Intercept?
SSL Switch:
SniffInet can turn on encryption during a session. For example, this is how STARTTLS works with SMTP. A plain text session is started on port 25, but the client then issues a STARTTLS command to tell both sides to start encrypting everything. SniffInet duplicates this ability by matching the last plain text string in the data stream before encryption starts. Using STARTTLS as an example, the last plain text string is the server sending the line "220 2.0.0 Ready to start TLS" To match this, use "Ready to start TLS[\r\n]*" in the SSL Switch field.

We recommend using test data rather than sensitive data that you want to keep secret. We have NO RESPONSIBILITY to protect the data that SniffInet captures. If you use real data, you should remove it as soon as possible. Better safe than sorry.

Encrypted Examples

HTTPS Browser Example (encrypted)

Using the same SniffInet Connector as the above browser example to capture an HTTPS URL, the capture now has unreadable binary when the connection switches to TLS:

https://www.checktls.com/smalltestpage.html
the capture will be unreadable binary.

The Connector (changed to use Port 443):

Cloud Packet Sniffer parameter entry
CLIENT:
10.10.10.10
SERVER:
www.checktls.com
SERVER PORT:
HTTPS
CLIENT SSL?
SERVER SSL?
SUPPRESS LOG?
 
SHOW SSL?
 
HTML Fixup?
Cert Fixup?
 
SSL Intercept?
 
SSL Switch:

Tell the browser to connect to (changed to https):

https://sniffinet.checktls.com:4023/smalltestpage.html
instead of
https://www.checktls.com/smalltestpage.html

The capture looks like:

<---S<---(2) @2022-09-13_08:44:33.555 24 bytes
00000000  17 03 03 00 13 FF 36 A4 - 8C 9C 79 B8 E5 16 19 A8  ......6...y.....
00000010  B4 64 1E 43 63 E8 97 E3                            .d.Cc...

<---S<---(3) @2022-09-13_08:44:33.784 24 bytes
00000000  17 03 03 00 13 A3 61 15 - 68 76 E2 8C 1E 13 50 C2  ......a.hv....P.
00000010  61 93 88 ED 47 D1 67 04                            a...G.g.

--->S--->(4) @2022-09-13_08:44:36.389 623 bytes
00000000  16 03 01 02 6A 01 00 02 - 66 03 03 34 33 4B 9D 22  ....j...f..43K."
........  lines deleted  ........
00000250  09 69 36 4C C0 C4 01 FE - 5A 05 0A 91 52 9A 2A 17  .i6L....Z...R.*.
00000260  D0 8A 51 97 27 B2 FC 99 - F0 9B 19 27 30 40 25     ..Q.'......'0@%

--->S--->(5) @2022-09-13_08:44:36.391 623 bytes
00000000  16 03 01 02 6A 01 00 02 - 66 03 03 02 14 98 1D 08  ....j...f.......
........  lines deleted  ........
00000240  A2 98 46 BC 52 64 B4 01 - D4 A6 4A AF A6 FF B6 62  ..F.Rd....J....b
00000250  C4 C9 8D 6E 19 6E 11 E4 - 54 FB 95 89 3C 32 9B F4  ...n.n..T...<2..
00000260  28 C6 B0 4C 05 DC 8E E7 - 7D F7 8A 8A 3A 59 86     (..L....}...:Y.

........  lines deleted  ........

Note that SniffInet will make SSL connections without Server/Client SSL flags because SniffInet is transparently inbetween the Client and the Server. Obviously though the encrypted traffic is unreadable.

HTTPS Browser Example (decrypted)

The same HTTPS session with SniffInet's Client and Server SSL flags set shows the readable unencrypted data:

Cloud Packet Sniffer parameter entry
CLIENT:
10.10.10.10
SERVER:
www.checktls.com
SERVER PORT:
HTTPS
CLIENT SSL?
SERVER SSL?
SUPPRESS LOG?
 
SHOW SSL?
 
HTML Fixup?
Cert Fixup?
 
SSL Intercept?
 
SSL Switch:

Tell the browser to connect to

https://sniffinet.checktls.com:4023/smalltestpage.html
instead of
https://www.checktls.com/smalltestpage.html

Decrypts the session:

~~~>S~~~>(6) @2022-09-13_08:20:28.136 965 bytes
GET /smalltestpage.html HTTP/1.1
Host: www.checktls.com:443
Connection: keep-alive
sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9,und;q=0.8

<~~~S<~~~(6) @2022-09-13_08:20:29.137 800 bytes
HTTP/1.1 200 OK
Date: Tue, 13 Sep 2022 12:20:28 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k PHP/7.2.24 mod_perl/2.0.11 Perl/v5.26.3
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Origin, Content_Type, X-Auth-Token, Authorization
Strict-Transport-Security: max-age=300; includeSubDomains
Vary: Accept-Encoding
Last-Modified: Mon, 12 Sep 2022 15:35:53 GMT
ETag: "68-5e87ca6a88ef4"
Accept-Ranges: bytes
Content-Length: 104
Cache-Control: max-age=86400
Expires: Wed, 14 Sep 2022 12:20:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<html>
<head>
  <title>Title</title>
</head>
<body>
  <h1>Heading</h1>
  <p>Content</p>
</body>
</html>

Encrypted (STARTTLS) Email Example

Using the same SniffInet Connector as the above email example to capture SMTP that uses STARTTLS, the capture now has unreadable binary when the connection switches to TLS:

<---S<---(1) @2022-09-12_08:59:26.346 90 bytes
220 mail.checktls.com ESMTP Sendmail 8.15.2/8.15.2; Mon, 12 Sep 2022 08:59:26 -0400
--->S--->(1) @2022-09-12_08:59:27.346 27 bytes
EHLO www.checktls.com
<---S<---(1) @2022-09-12_08:59:28.347 198 bytes
250-mail.checktls.com Hello sniffinet.checktls.com [165.227.190.238], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-STARTTLS
250-DELIVERBY
250 HELP
--->S--->(1) @2022-09-12_08:59:29.347 10 bytes
STARTTLS
<---S<---(1) @2022-09-12_08:59:30.348 30 bytes
220 2.0.0 Ready to start TLS
--->S--->(1) @2022-09-12_08:59:31.349 517 bytes
00000000  16 03 01 02 00 01 00 01 - FC 03 03 B7 3D DC 10 F5  ............=...
........  lines deleted  ........
000001F0  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
00000200  00 00 00 00 00                                     .....

<---S<---(1) @2022-09-12_08:59:32.350 6172 bytes
00000000  16 03 03 00 7A 02 00 00 - 76 03 03 4F 50 BC 39 4B  ....z...v..OP.9K
........  lines deleted  ........
00001800  46 85 40 E2 2B 42 67 54 - 48 0F 69 73 23 05 B6 74  F.@.+BgTH.is#..t
00001810  F8 A3 3F 2D 53 AE 47 64 - 61 0F 35 34              ..?-S.Gda.54

........  lines deleted  ........

STARTTLS Email Decrypted

This same SMTP session with the SSL Switch set for STARRTLS will decrypt the data:

Cloud Packet Sniffer parameter entry
CLIENT:
10.10.10.10
SERVER:
mail.checktls.com
SERVER PORT:
SMTP
CLIENT SSL?
 
SERVER SSL?
 
SUPPRESS LOG?
 
SHOW SSL?
 
HTML Fixup?
 
Cert Fixup?
 
SSL Intercept?
 
SSL Switch:
Ready to start TLS[\r\n]+

Decrypts the SMTP session:

<---S<---(1) @2022-09-12_11:05:19.926 90 bytes
220 mail.checktls.com ESMTP Sendmail 8.15.2/8.15.2; Mon, 12 Sep 2022 11:05:19 -0400
--->S--->(1) @2022-09-12_11:05:20.927 27 bytes
EHLO www.checktls.com
<---S<---(1) @2022-09-12_11:05:21.928 198 bytes
250-mail.checktls.com Hello sniffinet.checktls.com [165.227.190.238], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-STARTTLS
250-DELIVERBY
250 HELP
--->S--->(1) @2022-09-12_11:05:22.928 10 bytes
STARTTLS
<---S<---(1) @2022-09-12_11:05:23.929 30 bytes
220 2.0.0 Ready to start TLS
~~~~~~~~~~(1) @2022-09-12_11:05:23.929 Server switched to SSL
~~~~~~~~~~(1) @2022-09-12_11:05:23.929 Client switched to SSL
~~~>S~~~>(1) @2022-09-12_11:05:24.958 27 bytes
EHLO www.checktls.com
<~~~S<~~~(1) @2022-09-12_11:05:25.000 184 bytes
250-mail1.checktls.com Hello sniffinet.checktls.com [165.227.190.238], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DELIVERBY
250 HELP
~~~>S~~~>(1) @2022-09-12_11:05:26.001 31 bytes
MAIL FROM:<test@checktls.com>
<~~~S<~~~(1) @2022-09-12_11:05:27.001 44 bytes
250 2.1.0 <test@checktls.com>... Sender ok
~~~>S~~~>(1) @2022-09-12_11:05:28.002 29 bytes
RCPT TO:<test@checktls.com>
<~~~S<~~~(1) @2022-09-12_11:05:29.003 47 bytes
250 2.1.5 <test@checktls.com>... Recipient ok
~~~>S~~~>(1) @2022-09-12_11:05:30.003 6 bytes
DATA
<~~~S<~~~(1) @2022-09-12_11:05:31.004 50 bytes
354 Enter mail, end with "." on a line by itself
~~~>S~~~>(1) @2022-09-12_11:05:32.005 284 bytes
Date: Mon, 12 Sep 2022 11:05:19 -0400
To: test@checktls.com
From: test@checktls.com
Subject: test Mon, 12 Sep 2022 11:05:19 -0400
Message-Id: <20220912110519.1429233@www.checktls.com>
X-Mailer: swaks v20181104.0 jetmore.org/john/code/swaks/

This is a test mailing


.
<~~~S<~~~(1) @2022-09-12_11:05:33.005 57 bytes
250 2.0.0 28CF5Jnd3807723 Message accepted for delivery
~~~>S~~~>(1) @2022-09-12_11:05:34.006 6 bytes
QUIT
<~~~S<~~~(1) @2022-09-12_11:05:35.007 53 bytes
221 2.0.0 mail.checktls.com closing connection

HTML Fixup

Coming Soon

Case Studies

POP Mail (plain text, encrypted, half-encrypted, and port translated)
Plain

The SniffInet Connector to capture a phone accessing a mailbox using the POP protocol:

Cloud Packet Sniffer parameter entry
CLIENT:
10.10.10.10
SERVER:
pop.checktls.com
SERVER PORT:
POP3
CLIENT SSL?
 
SERVER SSL?
 
SUPPRESS LOG?
 
SHOW SSL?
 
HTML Fixup?
 
Cert Fixup?
 
SSL Intercept?
 
SSL Switch:

Tell the phone to connect to sniffinet.checktls.com port 4023 instead of mail.checktls.com port POP3. The capture looks like:

<---S<---(1) @2022-09-13_13:34:32.691 20 bytes
+OK Dovecot ready.
--->S--->(1) @2022-09-13_13:34:36.881 6 bytes
quit
<---S<---(1) @2022-09-13_13:34:37.882 17 bytes
+OK Logging out

Encrypted

The SniffInet Connector to capture a phone accessing a mailbox using secure (encrypted) POP protocol:

Cloud Packet Sniffer parameter entry
CLIENT:
10.10.10.10
SERVER:
pop.checktls.com
SERVER PORT:
POP3S
CLIENT SSL?
SERVER SSL?
SUPPRESS LOG?
 
SHOW SSL?
 
HTML Fixup?
 
Cert Fixup?
 
SSL Intercept?
 
SSL Switch:

Tell the phone to connect to sniffinet.checktls.com port 4023 instead of mail.checktls.com port POP3S. The capture looks like:

<~~~S<~~~(1) @2022-09-13_16:31:43.819 20 bytes
+OK Dovecot ready.
~~~>S~~~>(1) @2022-09-13_16:31:47.473 6 bytes
quit
<~~~S<~~~(1) @2022-09-13_16:31:48.474 17 bytes
+OK Logging out

Half Encrypted (plain client, ssl server)

The SniffInet Connector to capture a phone accessing a mailbox where the phone cannot do TLS but the server does:

Cloud Packet Sniffer parameter entry
CLIENT:
10.10.10.10
SERVER:
pop.checktls.com
SERVER PORT:
POP3S
CLIENT SSL?
SERVER SSL?
 
SUPPRESS LOG?
 
SHOW SSL?
 
HTML Fixup?
 
Cert Fixup?
 
SSL Intercept?
 
SSL Switch:

Tell the phone to connect to sniffinet.checktls.com port 4023 instead of mail.checktls.com port POP3S. The capture looks like:

<---S<~~~(3) @2022-09-14_14:42:21.811 20 bytes
+OK Dovecot ready.
--->S~~~>(3) @2022-09-14_14:42:24.039 6 bytes
quit
<---S<~~~(3) @2022-09-14_14:42:25.039 17 bytes
+OK Logging out
Note that only the right (server) side is squiggly (encrypted).

Half Encrypted (ssl client, plain server)

The SniffInet Connector to capture a phone that requires TLS accessing a mailbox that does not have TLS:

Cloud Packet Sniffer parameter entry
CLIENT:
10.10.10.10
SERVER:
pop.checktls.com
SERVER PORT:
POP3
CLIENT SSL?
 
SERVER SSL?
SUPPRESS LOG?
 
SHOW SSL?
 
HTML Fixup?
 
Cert Fixup?
 
SSL Intercept?
 
SSL Switch:

Tell the phone to connect to sniffinet.checktls.com port 4023 instead of mail.checktls.com port POP3. The capture looks like:

<~~~S<---(1) @2022-09-14_15:05:14.273 20 bytes
+OK Dovecot ready.
~~~>S--->(1) @2022-09-14_15:05:16.823 5 bytes
quit
<~~~S<---(1) @2022-09-14_15:05:17.824 17 bytes
+OK Logging out
Note that only the left (client) side is squiggly (encrypted).

Port Translated

The SniffInet Connector to capture a Client that requires POP to a Server that requires SPOP:

Cloud Packet Sniffer parameter entry
CLIENT:
10.10.10.10
SERVER:
pop.checktls.com
SERVER PORT:
POP3S
CLIENT SSL?
 
SERVER SSL?
SUPPRESS LOG?
 
SHOW SSL?
 
HTML Fixup?
 
Cert Fixup?
 
SSL Intercept?
 
SSL Switch:

Tell the phone to connect to custom-sniffinet.checktls.com port POPS (110). The capture looks like:

<---S<~~~(1) @2022-09-14_15:05:14.273 20 bytes
+OK Dovecot ready.
--->S~~~>(1) @2022-09-14_15:05:16.823 5 bytes
quit
<---S<~~~(1) @2022-09-14_15:05:17.824 17 bytes
+OK Logging out