Wireshark experts help pls?


#1

Hello

Pulling my hear out, but so far can’t find an answer to a simple question.
I am using 9.9.9.9 SSL/TSL as DNS (port 853) on my pfSense router.

How can I capture traffic going there with wireshark ?


#2

Inside pfsense go to “Diagnostics ->Packet Capture” and you can create a pcap file that can be read in wireshark


#3

@LTS_Tom
I was trying to do it directly in wireshark, so I can see in real-time.
Is it possible ?

For some reasons I see ‘ens3’ and ‘Loopback’ interfaces but no ‘Local Network’

Maybe that’s a reason ?


#4

Yes, but it requires more than just turning it on. They have documentation on how to set that up on their site. Your configuration will be based on how your network is set up.
https://wiki.wireshark.org/CaptureSetup/Ethernet


#5

I see makes sense.

But if I use Packet Capture from my router it will not require additional network settings ?


#6

If the data you are after is passing through the router, then it is an easy way to get the data.


#7

I want to test that DNS over SSL/TSL to 9.9.9.9 on port 853 looks encrypted.

I did as you suggested and if see no name that means t’s encrypted, right ?

as here https://snag.gy/8XcVdT.jpg


#8

I was able to test and saw no plain strings in SSL/TLS enabled DNS queries vs plain strings when SSL/TLS was disabled.

It’s simple when you know what to expect and how to do it .

Thx @LTS_Tom for the tip!