> On Jul 19, 2017, at 18:35, Colm MacCárthaigh <c...@allcosts.net> wrote: > > That's not what I've seen. Instead, I see administrators creating port > mirrors on demand and then filtering the traffic they are interested in using > standard tcpdump rules, and I see MITM boxes that selectively decrypt some > traffic to look inside it and apply some kind of security filtering. In the > former case, DNS lookups and IP/port destinations are commonly used to > trigger some suspicions too.
Correct. > That's not how the tcpdump/wireshark approach usually works. You give it the > private key and decrypts the TLS connection as it's happening. Correct. Ex-post-facto is insufficient to purpose. Real-time is the focus. Archiving is rarely done, and is typically just snippets representative of the incident in question. ----------------------------------- Roland Dobbins <rdobb...@arbor.net> _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
