views:

33

answers:

2

One of the tools I am using uses encryption/decryption to send out data over the network. I am modifying the tool and I need to be sure that the data is actually being sent in an encrypted form.

Are Wireshark and tcpdump the right tools for the purpose? At which point during the transfer do they capture the network packets?

+2  A: 

Both of those tools capture the data exactly as it goes out over the wire. (Think of it as sort of the equivalent of "tee" for output that's going to screen as well as to file; here too, the same data goes to the socket as well as to tcpdump or whatever.)

So yes, if your tool is configured correctly to encrypt the data before sending it, then tcpdump or Wireshark should reflect that in their packet captures.

Alex
While this is a perfectly good answer for the specific question, these tools actually capture the packet as it's delivered to the network adaptor, not as it goes onto the wire. This means that everything the network adaptor does (which used to be just MAC FCS, but is now usually IP/UDP/TCP checksums as well) does not get captured properly.
Will Dean
@Will Dean: Do adapters really modify IP and higher level checksums? That's a surprise to me, do you have a reference?
GregS
@GregS - An Intel datasheet for a modern Ethernet controller chip would give you all the gore, but if it's just a matter of not believing me, then http://www.wireshark.org/faq.html#q11.1 should set your mind at ease...
Will Dean
@GregS - Here you go: http://download.intel.com/design/network/datashts/82541er.pdf - that's a part which can do TCP segmentation too, so the relationship between the bottom of the software stack and the wire will be even more tenuous
Will Dean
@Will Dean: Thanks for those links. Looks like ethernet adapters are getting to look more like network processors; pretty cool.
GregS
+1  A: 

Yes, those are the right tools. Wireshark will identify TLS and SSL packets, if that's what you are using for encryption. You can provide Wireshark with the server's private key and decrypt the traffic if necessary (except for ephemeral modes like DHE and ECDHE).

erickson