Cloud Packet Sniffer (Internet Packet Sniffer)

Context sensitive help is available on every screen of Internet/sniffer so this document describes how it works and how to use it.

Packet sniffers let you see data flowing on a network connection. They are used in debugging to see the actual communications between systems, which can provide more information than error messages or log entries. They typically target a specific connection: one client connecting to one service, for example a phone accessing a bus tracker.

WatchConnect is an Internet packet sniffer. While there is no way to sniff, or view, arbitrary Internet traffic, our WatchConnect service can show you specific Internet traffic if you let it.

Setup

To watch a specific client/server Internet connection, you insert WatchConnect between the client and the server. The client talks to WatchConnect, which talks to the server, and vice versa. The same communication happens between the client and the server as without WatchConnect in the middle, but with it in the middle it can show you the traffic in almost real-time.

Using WatchConnect is a two step process. You create a WatchConnect "Connector" that tells WatchConnect how to get in the middle of a client/server connection, and then you point your client at the new Connector. When WatchConnect gets a connect from the client, it answers and connects to the server.

A Connector needs three things:

Client IP
The Connector will listen for a client to "come calling" from this IP address
Server IP
Once the Connector gets a "call" from a client, it will in turn call (connect to) a server at this IP address. See the next paragraph about "point" for where to find this in the client.
Server Port
The port the Connector should use when connecting to the server

To "point" your client at the Connector, find the setting in the client that says what server name or IP address to connect to. This is the IP address and port you should enter into the Connector Server settings above. Temporarily change your client to connect to watchconnect.checktls.com on port 1025 instead.

The next time you tell the client to connect to the server, WatchConnnect should be in the middle and let you see all the traffic.

Usage

Installed in the middle of your client/server connection, WatchConnect passes all the traffic between the client and the server, so both of them function just as they would if it wasn't there. But with WatchConnect in the middle you can see everything that goes on between the two sides.

After you create a Connector you can leave it running. You do not have to stay on the web page. WatchConnector runs continuously on our servers and saves all the traffic.

At any time while the Connector is still running you can come back to it by entering the exact same Client IP, Server IP, and Server Port. Whether you stay on the page or come back, you have four options:

Show Log
Displays the data that the Connector has captured since it was created or last erased.
Erase Log
Erase all the captured data. This does not delete the Connector, it just clears it so it's ready for new data.
Delete Connector
This removes the Connector from our system, removing the logged data and preventing a client from connecting to it anymore.
New Connector
Lets you leave this Connector running and start a new one.

We recommend using test data rather than sensitive data that you want to keep secret. We have NO RESPONSIBILITY to protect the data that WatchConnect captures. If you use real data, you should remove it as soon as possible. Better safe than sorry.

WatchConnect works on binary data as well as text. This means it works with encrypted client/server communications too. It (obviously!) cannot show the unencrypted data, but it does show what comes before and after encryption as well as the raw encrypted bytes.

Text data that WatchConnect captures looks like:

GET /beta/embed_request.html HTTP/1.1
Host: www.checktls.com:1025
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

HTTP/1.1 200 OK
Date: Sat, 11 Mar 2017 13:14:17 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_perl/2.0.9dev Perl/v5.16.3
Vary: Cookie
Last-Modified: Fri, 10 Mar 2017 16:53:38 GMT
Accept-Ranges: bytes
Cache-Control: max-age=0
Expires: Sat, 11 Mar 2017 13:14:17 GMT
Content-Length: 583
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<head></head>
<body>

<form method="post" action="https://www.checktls.com/perl/beta/Embed.pl">
  <input name="RETURN_URL" type="hidden" value="http://www.checktls.com/beta/embed_response.html" />
  <input name="CHECKTLS_URL" type="hidden" value="http://www.checktls.com/perl/beta/TestReceiver.pl" />
  <input name="XF" type="hidden" value="eMailAddress:ConfidenceFactor" />
  <input name="a_EMAIL" type="text" value="test@checktls.com" />
  <input name="a_LEVEL" type="hidden" value="-2" />
  <button name="ACTION" type="submit" value="xCheckTLS">CheckTLS</button>
</form>

</body>

Binary data that WatchConnect captures looks like:

0000000: 4745 5420 2f62 6574 612f 6661 7669 636f  GET /beta/favico
0000010: 6e2e 6963 6f20 4854 5450 2f31 2e31 0d0a  n.ico HTTP/1.1..
0000020: 486f 7374 3a20 7777 772e 6368 6563 6b74  Host: www.checkt
0000030: 6c73 2e63 6f6d 3a31 3032 350d 0a43 6f6e  ls.com:1025..Con
0000040: 6e65 6374 696f 6e3a 206b 6565 702d 616c  nection: keep-al
0000050: 6976 650d 0a55 7067 7261 6465 2d49 6e73  ive..Upgrade-Ins
0000060: 6563 7572 652d 5265 7175 6573 7473 3a20  ecure-Requests: 
0000070: 310d 0a55 7365 722d 4167 656e 743a 204d  1..User-Agent: M
0000080: 6f7a 696c 6c61 2f35 2e30 2028 5769 6e64  ozilla/5.0 (Wind
0000090: 6f77 7320 4e54 2036 2e31 3b20 574f 5736  ows NT 6.1; WOW6
00000a0: 3429 2041 7070 6c65 5765 624b 6974 2f35  4) AppleWebKit/5
00000b0: 3337 2e33 3620 284b 4854 4d4c 2c20 6c69  37.36 (KHTML, li
00000c0: 6b65 2047 6563 6b6f 2920 4368 726f 6d65  ke Gecko) Chrome
00000d0: 2f35 362e 302e 3239 3234 2e38 3720 5361  /56.0.2924.87 Sa
00000e0: 6661 7269 2f35 3337 2e33 360d 0a41 6363  fari/537.36..Acc
00000f0: 6570 743a 2074 6578 742f 6874 6d6c 2c61  ept: text/html,a
0000100: 7070 6c69 6361 7469 6f6e 2f78 6874 6d6c  pplication/xhtml

Case Studies

Use WatchConnect to log an entire web session.

Use http://watchconnect.checktls.com:1025/[webpath], where [webpath] is the URL without the 'http://[hostname]/' part.

Let's say you want to log your interaction with Reddit's News sub-reddit. Setup a Connector with:
Client IP: [your pc's ip address]
Server IP: www.answers.com
Server Port: 80

Point your browser to http://watchconnect.checktls.com:1025/r/news
Browse away. When you finish, go back to your Connector and show the log.