Thanks to all. I verified through tcpdump and its over ssl <div class="gmail_quote">On Fri, May 25, 2012 at 5:33 AM, Tom Yates <<a href="mailto:madlists@teaparty.net" target="_blank">madlists@teaparty.net</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Thu, 24 May 2012, Axel wrote: > You can use tcpdump and wireshark to check the tcp and ssl handshake. </div>as axel says, this is the best way to be *sure* it's happening under cover of SSL. in case you want to see it done, here's one happening under SSL: [user@www ~]$ sudo tcpdump -n -n -A port 5666 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:23:11.568787 IP 78.31.111.49.45411 > 193.219.118.100.5666: S 1958463879:1958463879(0) win 14600 <mss 1460,sackOK,timestamp 318187570 0,nop,wscale 5> E..<..@.9.jvN.o1..vd.c."t.........9..w......... ..(2........ 10:23:11.568816 IP 193.219.118.100.5666 > 78.31.111.49.45411: S 4064423968:4064423968(0) ack 1958463880 win 5792 <mss 1460,sackOK,timestamp 3184336621 318187570,nop,wscale 7> E..<..@.@.E,..vdN.o1.".c.B0 t.................. ......(2.... 10:23:11.574693 IP 78.31.111.49.45411 > 193.219.118.100.5666: . ack 1 win 457 <nop,nop,timestamp 318187571 3184336621> E..4..@.9.j}N.o1..vd.c."t....B0!....?Q..... ..(3.... 10:23:11.575019 IP 78.31.111.49.45411 > 193.219.118.100.5666: P 1:78(77) ack 1 win 457 <nop,nop,timestamp 318187571 3184336621> E.....@.9.j/N.o1..vd.c."t....B0!........... ..(3........H...D..O.OH...`+.%.Kp.gOG. 10:23:11.575036 IP 193.219.118.100.5666 > 78.31.111.49.45411: . ack 78 win 46 <nop,nop,timestamp 3184336628 318187571> E..4..@.@..b..vdN.o1.".c.B0!t.......@...... ......(3 10:23:11.576362 IP 193.219.118.100.5666 > 78.31.111.49.45411: P 1:240(239) ack 78 win 46 <nop,nop,timestamp 3184336629 318187571> E..#..@.@..r..vdN.o1.".c.B0!t.......z9..... ......(3....Q...M..O.O.f...F..Xc:..3h~ 10:23:11.581549 IP 78.31.111.49.45411 > 193.219.118.100.5666: . ack 240 win 490 <nop,nop,timestamp 318187572 3184336629> E..4..@.9.j{N.o1..vd.c."t....B1.....=...... ..(4.... as you can see, the ASCII-rendered contents look like gibberish. here's one *not* happening under SSL: [user@www ~]$ sudo tcpdump -n -n -A port 5666 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:27:50.403064 IP 78.31.111.49.45449 > 193.219.118.100.5666: S 2022207245:2022207245(0) win 14600 <mss 1460,sackOK,timestamp 318215453 0,nop,wscale 5> ......9............d..."x.o ............ 10:27:50.403095 IP 193.219.118.100.5666 > 78.31.111.49.45449: S 1624596014:1624596014(0) ack 2022207246 win 5792 <mss 1460,sackOK,timestamp 3184615495 318215453,nop,wscale 7> E..<..@.@.E,..vdN.o1."..`.^.x.o......L......... ..`G........ 10:27:50.408395 IP 78.31.111.49.45449 > 193.219.118.100.5666: . ack 1 win 457 <nop,nop,timestamp 318215454 3184615495> E..4..@.9.R"N.o1..vd..."x.o.`.^/....J...... ......`G 10:27:50.409395 IP 78.31.111.49.45449 > 193.219.118.100.5666: P 1:1037(1036) ack 1 win 457 <nop,nop,timestamp 318215454 3184615495> E..@..@.9.N.N.o1..vd..."x.o.`.^/....:...... ......`G........i7check_mysql......... 10:27:50.410281 IP 193.219.118.100.5666 > 78.31.111.49.45449: . ack 1037 win 62 <nop,nop,timestamp 3184615502 318215454> E..4>b@.@.....vdN.o1."..`.^/x.s....>Hf..... ..`N.... 10:27:50.427262 IP 193.219.118.100.5666 > 78.31.111.49.45449: P 1:1037(1036) ack 1037 win 62 <nop,nop,timestamp 3184615519 318215454> E..@>c@.@.....vdN.o1."..`.^/x.s....>^...... ..`_........d=.d..QUERY OK: 'select * note the name of the check (check_mysql) and the result (QUERY OK...) being passed back in plaintext. -- Tom Yates - <a href="http://www.teaparty.net" target="_blank">http://www.teaparty.net</a> <div class="HOEnZb"><div class="h5"> ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. <a href="http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/" target="_blank">http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/</a> _______________________________________________ Nagios-users mailing list <a href="mailto:Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a> <a href="https://lists.sourceforge.net/lists/listinfo/nagios-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/nagios-users</a> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null </div></div></blockquote></div> <div> </div>-- <a href="http://linuxmantra.com">http://linuxmantra.com</a>